Candidate: CVE-2015-9284
PublicDate: 2019-04-26 15:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9284
 https://github.com/omniauth/omniauth-rails/pull/1
 https://github.com/omniauth/omniauth/pull/809
 https://www.openwall.com/lists/oss-security/2015/05/26/11
Description:
 The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is
 vulnerable to Cross-Site Request Forgery when used as part of the Ruby on
 Rails framework, allowing accounts to be connected without user intent,
 user interaction, or feedback to the user. This permits a secondary account
 to be able to sign into the web application as the primary account.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [8.8 HIGH]
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [8.8 HIGH]


Patches_ruby-omniauth:
upstream_ruby-omniauth: needed
precise/esm_ruby-omniauth: DNE
trusty/esm_ruby-omniauth: DNE
xenial_ruby-omniauth: ignored (end of standard support, was needed)
bionic_ruby-omniauth: needed
cosmic_ruby-omniauth: ignored (reached end-of-life)
disco_ruby-omniauth: ignored (reached end-of-life)
eoan_ruby-omniauth: ignored (reached end-of-life)
focal_ruby-omniauth: needed
groovy_ruby-omniauth: ignored (reached end-of-life)
hirsute_ruby-omniauth: ignored (reached end-of-life)
impish_ruby-omniauth: needed
jammy_ruby-omniauth: needed
devel_ruby-omniauth: needed