The implementation did not validate the legitimacy of the email
attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases when the email
is used as a trusted user identifier
CPE | Name | Operator | Version |
---|---|---|---|
omniauth-microsoft_graph | lt | 2.0.0 |
github.com/advisories/GHSA-5g66-628f-7cvj
github.com/synth/omniauth-microsoft_graph/commit/5ffd62690ca0e46978f2fc7d83b18d28edde7795
github.com/synth/omniauth-microsoft_graph/commit/f132078389612b797c872b45bd0e0b47382414c1
github.com/synth/omniauth-microsoft_graph/security/advisories/GHSA-5g66-628f-7cvj
nvd.nist.gov/vuln/detail/CVE-2024-21632
www.descope.com/blog/post/noauth