{"containers": {"cna": {"affected": [{"product": "omniauth ruby gem", "vendor": "n/a", "versions": [{"status": "affected", "version": "All versions"}]}], "datePublic": "2015-05-25T00:00:00", "descriptions": [{"lang": "en", "value": "The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF) (CWE-352)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-03-04T14:41:58", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/omniauth/omniauth/pull/809"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/omniauth/omniauth-rails/pull/1"}, {"name": "[oss-security] 20150526 CVE Request: CSRF vulnerability in OmniAuth request phase", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://www.openwall.com/lists/oss-security/2015/05/26/11"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2015-9284", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "omniauth ruby gem", "version": {"version_data": [{"version_value": "All versions"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross-Site Request Forgery (CSRF) (CWE-352)"}]}]}, "references": {"reference_data": [{"name": "https://github.com/omniauth/omniauth/pull/809", "refsource": "MISC", "url": "https://github.com/omniauth/omniauth/pull/809"}, {"name": "https://github.com/omniauth/omniauth-rails/pull/1", "refsource": "MISC", "url": "https://github.com/omniauth/omniauth-rails/pull/1"}, {"name": "[oss-security] 20150526 CVE Request: CSRF vulnerability in OmniAuth request phase", "refsource": "MLIST", "url": "https://www.openwall.com/lists/oss-security/2015/05/26/11"}, {"name": "https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284", "refsource": "MISC", "url": "https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T08:43:42.338Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/omniauth/omniauth/pull/809"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/omniauth/omniauth-rails/pull/1"}, {"name": "[oss-security] 20150526 CVE Request: CSRF vulnerability in OmniAuth request phase", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://www.openwall.com/lists/oss-security/2015/05/26/11"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284"}]}]}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2015-9284", "datePublished": "2019-04-26T14:03:53", "dateReserved": "2019-04-09T00:00:00", "dateUpdated": "2024-08-06T08:43:42.338Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:omniauth:omniauth:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "E7DFDC87-A880-470C-8850-4137441C3745", "versionEndExcluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account."}, {"lang": "es", "value": "La fase request del GEM de OmniAuth Ruby (versi\u00f3n 1.9.1 y versiones anteriores) es vulnerable Cross-Site Request Forgery cuando se usa como parte del Ruby sobre Rails Framework, permite que las cuentas se conecten sin intenci\u00f3n del usuario, interacci\u00f3n de usuario o retroalimentaci\u00f3n al usuario. Esto permite a una cuenta secundaria poder iniciar sesi\u00f3n en la aplicaci\u00f3n web como la cuenta principal."}], "id": "CVE-2015-9284", "lastModified": "2024-02-14T16:29:38.470", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-04-26T15:29:00.267", "references": [{"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://github.com/omniauth/omniauth-rails/pull/1"}, {"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/omniauth/omniauth/pull/809"}, {"source": "support@hackerone.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284"}, {"source": "support@hackerone.com", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2015/05/26/11"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-352"}], "source": "support@hackerone.com", "type": "Secondary"}]}

{"bugzilla": {"description": "rubygem-omniauth: request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site Request Forgery leading to connection without user intent", "id": "1707375", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1707375"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-352", "details": ["The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.", "A flaw was found in rubygem-omniauth. The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework. Accounts are allowed to be connected without user intent, user interaction, or feedback to the user which permits a secondary account to be able to sign into the web application as the primary account. The highest threat from this vulnerability is to data confidentiality and integrity."], "name": "CVE-2015-9284", "package_state": [{"cpe": "cpe:/a:redhat:cloudforms_managementengine:5", "fix_state": "Will not fix", "package_name": "cfme-gemset", "product_name": "CloudForms Management Engine 5"}], "public_date": "2015-05-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-9284\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-9284"], "statement": "Red Hat CloudForms 4.5 is on maintenance support phase, thus only critical issues will be fixed.", "threat_severity": "Important"}