CVE-2017-18076

Published: Jan 26, 2018

Modified: Aug 5, 2024

PUBLISHED

Description

In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value is improperly protected because POST (in addition to GET) parameters are stored in the session and become available in the environment of the callback phase.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/omniauth/omniauth/pull/867

x_refsource_CONFIRM

DSA-4109

vendor-advisory

x_refsource_DEBIAN

https://bugs.debian.org/888523

x_refsource_CONFIRM

https://github.com/omniauth/omniauth/pull/867/commits/71866c5264122e196847a3980c43051446a03e9b

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2017-18076

Description

Affected Products

References