Vulnerability Details : CVE-2019-11027
Ruby OpenID (aka ruby-openid) through 2.8.0 has a remotely exploitable flaw. This library is used by Rails web applications to integrate with OpenID Providers. Severity can range from medium to critical, depending on how a web application developer chose to employ the ruby-openid library. Developers who based their OpenID integration heavily on the "example app" provided by the project are at highest risk.
Products affected by CVE-2019-11027
- cpe:2.3:a:openid:ruby-openid:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-11027
0.47%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 75 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-11027
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
References for CVE-2019-11027
-
https://lists.debian.org/debian-lts-announce/2019/10/msg00014.html
[SECURITY] [DLA 1956-1] ruby-openid security update
-
https://marc.info/?l=openid-security&m=155154717027534&w=2
'Re: [security] Security issue with ruby-openid library' - MARCMailing List;Third Party Advisory
-
https://github.com/openid/ruby-openid/issues/122
Question concerning CVE-2019-11027 · Issue #122 · openid/ruby-openid · GitHub
-
https://security.gentoo.org/glsa/202003-09
OpenID library for Ruby: Server-Side Request Forgery (GLSA 202003-09) — Gentoo security
Jump to