RubyGems omniauth-oauth2 CVE-2012-6134 Cross Site Request Forgery Vulnerability
BID:57950
Info
RubyGems omniauth-oauth2 CVE-2012-6134 Cross Site Request Forgery Vulnerability
| Bugtraq ID: | 57950 |
| Class: | Input Validation Error |
| CVE: |
CVE-2012-6134 |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 11 2013 12:00AM |
| Updated: | Feb 11 2013 12:00AM |
| Credit: | homakov |
| Vulnerable: |
Michael Bleigh omniauth-oauth2 0 |
| Not Vulnerable: | |
Discussion
RubyGems omniauth-oauth2 CVE-2012-6134 Cross Site Request Forgery Vulnerability
omniauth-oauth2 is prone to a cross-site request-forgery vulnerability.
Exploiting this issue may allow a remote attacker to perform certain actions in the context of an authorized user's session and gain unauthorized access to the affected application; other attacks are also possible.
omniauth-oauth2 is prone to a cross-site request-forgery vulnerability.
Exploiting this issue may allow a remote attacker to perform certain actions in the context of an authorized user's session and gain unauthorized access to the affected application; other attacks are also possible.
Exploit / POC
RubyGems omniauth-oauth2 CVE-2012-6134 Cross Site Request Forgery Vulnerability
To exploit this issue an attacker must entice an unsuspecting victim to visit a malicious webpage.
To exploit this issue an attacker must entice an unsuspecting victim to visit a malicious webpage.
Solution / Fix
RubyGems omniauth-oauth2 CVE-2012-6134 Cross Site Request Forgery Vulnerability
Solution:
Updates are available. Please see the references or vendor advisory for more information.
Solution:
Updates are available. Please see the references or vendor advisory for more information.
References
RubyGems omniauth-oauth2 CVE-2012-6134 Cross Site Request Forgery Vulnerability
References:
References:
- CSRF vulnerability, injecting state in session (homakov)
- Merge pull request #25 from homakov/patch-1 (Michael Bleigh)
- Rubygems Homepage (Rubygems)
- omniauth-oauth2 Product Page (Michael Bleigh)