Candidate: CVE-2017-18076
PublicDate: 2018-01-26 19:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18076
 https://github.com/omniauth/omniauth/pull/867
 https://bugs.debian.org/888523
 https://github.com/omniauth/omniauth/pull/867/commits/71866c5264122e196847a3980c43051446a03e9b
Description:
 In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value is
 improperly protected because POST (in addition to GET) parameters are
 stored in the session and become available in the environment of the
 callback phase.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888523
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5 HIGH]


Patches_ruby-omniauth:
upstream_ruby-omniauth: released (1.3.1-2)
precise/esm_ruby-omniauth: DNE
trusty_ruby-omniauth: ignored (reached end-of-life)
trusty/esm_ruby-omniauth: DNE (trusty was needed)
xenial_ruby-omniauth: released (1.3.1-1+deb9u1build0.16.04.1)
artful_ruby-omniauth: released (1.3.1-1+deb9u1build0.17.10.1)
bionic_ruby-omniauth: not-affected (1.3.1-2)
cosmic_ruby-omniauth: not-affected (1.3.1-2)
disco_ruby-omniauth: not-affected (1.3.1-2)
devel_ruby-omniauth: not-affected (1.3.1-2)