Showing 1 - 1 of 1

CVE-2017-18076

Status Candidate

Overview

In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value is improperly protected because POST (in addition to GET) parameters are stored in the session and become available in the environment of the callback phase.

Related Files

Debian Security Advisory 4109-1: Posted Feb 11, 2018; Authored by Debian | Site debian.org; Debian Linux Security Advisory 4109-1 - Lalith Rallabhandi discovered that OmniAuth, a Ruby library for implementing multi-provider authentication in web applications, mishandled and leaked sensitive information. An attacker with access to the callback environment, such as in the case of a crafted web application, can request authentication services from this module and access to the CSRF token.; tags | advisory, web, ruby; systems | linux, debian; advisories | CVE-2017-18076; SHA-256 | e59f433e0256fcb085e31cbcbe55a04241623a2742f3d2f521b26f9b0dd390b5; Download | Favorite | View

Page 1 of 1 Back 1 Next

Top Authors In Last 30 Days

Red Hat 227 files
Ubuntu 94 files
Gentoo 29 files
Debian 21 files
tmrswrr 9 files
Sina Kheirkhah 7 files
bRpsd 4 files
Amit Roy 4 files
nu11secur1ty 3 files
Jann Horn 3 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,075)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,529)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,299)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,236)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,642)
UNIX (9,424)
UnixWare (187)
Windows (6,665)
Other

CVE-2017-18076

Overview

Related Files

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems