8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2015-9284

GHSA ID

GHSA-ww4x-rwq6-qpgf

EPSS Score

0.73695%

CWE

CWE-352

Published

5/29/2019

Updated

2/15/2024

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2015-9284

CVE-2015-9284: OmniAuth Ruby gem Cross-site Request Forgery in request phase

The request phase of the OmniAuth Ruby gem (1.9.2 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.

As of v2 OmniAuth no longer has the vulnerable configuration by default, but it is still possible to configure OmniAuth in such a way that the web application becomes vulnerable to Cross-Site Request Forgery. There is a recommended remediation described here.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2015-9284

GHSA ID

GHSA-ww4x-rwq6-qpgf

EPSS Score

0.73695%

CWE

CWE-352

Published

5/29/2019

Updated

2/15/2024

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
omniauth	rubygems	<= 1.9.2	2.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key factors: 1) The request_phase implementation in strategies processed GET requests without CSRF validation, and 2) The default configuration explicitly permitted GET requests. Together, these allowed attackers to forge authentication initiation requests. The fix in v2.0.0 involved restricting allowed methods to POST by default and adding CSRF validation, confirming these as the vulnerable components.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** r*qu*st p**s* o* t** Omni*ut* Ru*y **m (*.*.* *n* **rli*r) is vuln*r**l* to *ross-Sit* R*qu*st *or**ry w**n us** *s p*rt o* t** Ru*y on R*ils *r*m*work, *llowin* ***ounts to ** *onn**t** wit*out us*r int*nt, us*r int*r**tion, or *******k to t** u

Reasoning

T** vuln*r**ility st*ms *rom two k*y ***tors: *) T** `r*qu*st_p**s*` impl*m*nt*tion in str*t**i*s pro**ss** **T r*qu*sts wit*out *SR* `v*li**tion`, *n* *) T** ****ult `*on*i*ur*tion` *xpli*itly p*rmitt** **T r*qu*sts. To**t**r, t**s* *llow** *tt**k*r

8.8

Basic Information

Concerned about an active attack path?

CVE-2015-9284: OmniAuth Ruby gem Cross-site Request Forgery in request phase

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI