omniauth

RubyGems3 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting omniauthpage 1 of 1

CVE-2015-9284HIGHCVSS 8.8EG 8.8✓ Fixed in 2.0.0
2019-04-26
vulnerable: 0.0.1 ... 2.0.0.pre.rc1 (60 versions)
The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedba…
CVE-2017-18076HIGHCVSS 7.5EG 7.5✓ Fixed in 1.3.2
2018-01-26
vulnerable: 0.0.1 ... 1.3.1 (44 versions)
In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value is improperly protected because POST (in addition to GET) parameters are stored in the session and become available in the environment of the callback phase.
CVE-2020-36599CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.0.0
2022-08-18
vulnerable: 2.0.0.pre.rc1
lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before 2.0) does not escape the message_key value.

Check whether omniauth is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for omniauth CVEs against the assets you own.

Start Free Scan →