Vulnerability Details : CVE-2015-9284
The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.
Vulnerability category: Cross-site request forgery (CSRF)
Products affected by CVE-2015-9284
- cpe:2.3:a:omniauth:omniauth:*:*:*:*:*:ruby:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-9284
0.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 52 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-9284
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2015-9284
-
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Assigned by:
- nvd@nist.gov (Primary)
- support@hackerone.com (Secondary)
References for CVE-2015-9284
-
https://github.com/omniauth/omniauth-rails/pull/1
Protect request phase against CSRF. by DouweM · Pull Request #1 · omniauth/omniauth-rails · GitHubThird Party Advisory
-
https://github.com/omniauth/omniauth/pull/809
Protect request phase against CSRF when Rails is used. by DouweM · Pull Request #809 · omniauth/omniauth · GitHubPatch;Third Party Advisory
-
https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
Resolving CVE 2015 9284 · omniauth/omniauth Wiki · GitHubMitigation;Third Party Advisory
-
https://www.openwall.com/lists/oss-security/2015/05/26/11
oss-security - CVE Request: CSRF vulnerability in OmniAuth request phaseMailing List;Patch;Third Party Advisory
Jump to