Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Does CVE-2015-9284 is an issue? #177

Closed
kanevk opened this issue Jul 9, 2019 · 2 comments
Closed

Does CVE-2015-9284 is an issue? #177

kanevk opened this issue Jul 9, 2019 · 2 comments

Comments

@kanevk
Copy link

kanevk commented Jul 9, 2019

Hello,

is the security vulnerability CVE-2015-9284 concerns omniauth-saml gem?
@jhirn
Copy link

jhirn commented Aug 7, 2019

I don't think so, but I haven't confirmed. It seems to be specifically related to OAuth clients.

@bufferoverflow
Copy link
Member

Impact is described over here omniauth/omniauth#809

The request phase in OmniAuth is currently vulnerable to Cross-Site Request Forgery, which allows an attacker to easily gain full access to a user's account on a site that uses OmniAuth, when used in combination with another CSRF vulnerability on the side of a connected OAuth provider.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jhirn @bufferoverflow @kanevk