Skip to content
This repository has been archived by the owner on Jan 19, 2023. It is now read-only.

Missing Advisory: omniauth CVE-2015-9284 #79

Closed
DarthHater opened this issue Apr 13, 2020 · 2 comments
Closed

Missing Advisory: omniauth CVE-2015-9284 #79

DarthHater opened this issue Apr 13, 2020 · 2 comments
Labels
advisory An advisory missing from the OSS Index database

Comments

@DarthHater
Copy link
Member

I'm unsure if this is truly missing, or the version range is wrong. Starting with missing since I don't have insight to see if it's the version range.

Advisory details

  URL: https://nvd.nist.gov/vuln/detail/CVE-2015-9284
  format: rubygem
  namespace: 
  name: omniauth
  versions: This affects up to the newest version, so `1.9.1` in this case, no  fix has been released

From bundle-audit:

Name: omniauth
Version: 1.9.0
Advisory: CVE-2015-9284
Criticality: High
URL: https://github.com/omniauth/omniauth/pull/809
Title: CSRF vulnerability in OmniAuth's request phase
Solution: remove or disable this gem until a patch is available!

Vulnerabilities found!

More information
Basically, the fix for this has not been merged, more info can be seen here:

omniauth/omniauth#809

We found this issue while testing chelsea against the results from bundle-audit on a project.
@DarthHater DarthHater added the advisory An advisory missing from the OSS Index database label Apr 13, 2020
@ken-duck
Copy link
Contributor

This has been added and should show up tomorrow, all going well.

@ken-duck
Copy link
Contributor

Visual confirmation indicates this has been added.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
advisory An advisory missing from the OSS Index database
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DarthHater @ken-duck