Miggo Logo
Miggo Vulnerability Database
CVE-2024-21632

CVE-2024-21632: Omniauth::MicrosoftGraph Account takeover (nOAuth)

8.6

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-21632
GHSA ID
GHSA-5g66-628f-7cvj
EPSS Score
0.47008%
CWE
CWE-287
Published
1/3/2024
Updated
1/9/2024
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
omniauth-microsoft_graphrubygems< 2.0.02.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from using the unverified 'email' claim as a trusted identifier. The pre-patch implementation lacked: 1) Comparison between email domain and userPrincipalName domain, 2) Validation of the xms_edov claim. The auth_hash method was particularly vulnerable as it's responsible for constructing the authentication hash from raw OAuth data without validation. The raw_info method provided the unvalidated email data that fed into this process. The patch added DomainVerifier checks in auth_hash to address these issues.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry T** impl*m*nt*tion *i* not v*li**t* t** l**itim**y o* t** `*m*il` *ttri*ut* o* t** us*r nor *i* it *iv*/*o*um*nt *n option to *o so, m*kin* it sus**pti*l* to [nO*ut*](*ttps://www.**s*op*.*om/*lo*/post/no*ut*) mis*on*i*ur*tion in **s*s w**

Reasoning

T** vuln*r**ility st*mm** *rom usin* t** unv*ri*i** '*m*il' *l*im *s * trust** i**nti*i*r. T** pr*-p*t** impl*m*nt*tion l**k**: *) *omp*rison **tw**n *m*il *om*in *n* us*rPrin*ip*lN*m* *om*in, *) V*li**tion o* t** xms_**ov *l*im. T** *ut*_**s* m*t*o*