Lucene search
GitHub Advisory DatabaseGHSA-5G66-628F-7CVJHistoryJan 03, 2024 - 9:46 p.m.
Omniauth::MicrosoftGraph Account takeover (nOAuth)
2024-01-0321:46:46
CWE-287
GitHub Advisory Database
github.com
8
implementation
email attribute
legitimacy
noauth misconfiguration
trusted user identifier
software
Summary
The implementation did not validate the legitimacy of the email attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases when the email is used as a trusted user identifier
| CPE | Name | Operator | Version |
|---|---|---|---|
| omniauth-microsoft_graph | lt | 2.0.0 |
References
github.com/advisories/GHSA-5g66-628f-7cvj
github.com/synth/omniauth-microsoft_graph/commit/5ffd62690ca0e46978f2fc7d83b18d28edde7795
github.com/synth/omniauth-microsoft_graph/commit/f132078389612b797c872b45bd0e0b47382414c1
github.com/synth/omniauth-microsoft_graph/security/advisories/GHSA-5g66-628f-7cvj
nvd.nist.gov/vuln/detail/CVE-2024-21632
www.descope.com/blog/post/noauth
Related
osv
osv
CVE-2024-21632
2024-01-02 22:15:10
Omniauth::MicrosoftGraph Account takeover (nOAuth)
2024-01-03 21:46:46
prion
prion
Information disclosure
2024-01-02 22:15:00
cve
cve
CVE-2024-21632
2024-01-02 22:15:10
veracode
veracode
Improper Authentication
2024-01-03 07:55:42
cvelist
cvelist