Miggo Logo

CVE-2015-9284: OmniAuth Ruby gem Cross-site Request Forgery in request phase

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.73695%
Published
5/29/2019
Updated
2/15/2024
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
omniauthrubygems<= 1.9.22.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key factors: 1) The request_phase implementation in strategies processed GET requests without CSRF validation, and 2) The default configuration explicitly permitted GET requests. Together, these allowed attackers to forge authentication initiation requests. The fix in v2.0.0 involved restricting allowed methods to POST by default and adding CSRF validation, confirming these as the vulnerable components.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** r*qu*st p**s* o* t** Omni*ut* Ru*y **m (*.*.* *n* **rli*r) is vuln*r**l* to *ross-Sit* R*qu*st *or**ry w**n us** *s p*rt o* t** Ru*y on R*ils *r*m*work, *llowin* ***ounts to ** *onn**t** wit*out us*r int*nt, us*r int*r**tion, or *******k to t** u

Reasoning

T** vuln*r**ility st*ms *rom two k*y ***tors: *) T** `r*qu*st_p**s*` impl*m*nt*tion in str*t**i*s pro**ss** **T r*qu*sts wit*out *SR* `v*li**tion`, *n* *) T** ****ult `*on*i*ur*tion` *xpli*itly p*rmitt** **T r*qu*sts. To**t**r, t**s* *llow** *tt**k*r