Lucene search

RubySecRUBY:OMNIAUTH-WEIBO-OAUTH2-2019-17268

HistoryMay 23, 2022 - 9:00 p.m.

omniauth-weibo-oauth2 included a code-execution backdoor inserted by a third-party

2022-05-2321:00:00

RubySec

github.com

omniauth

weibo

oauth2

rubygems

code execution

backdoor

vulnerability

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

JSON

The omniauth-weibo-oauth2 gem 0.4.6 for Ruby, as distributed on RubyGems.org,
included a code-execution backdoor inserted by a third party. Versions through 0.4.5,
and 0.5.1 and later, are unaffected.

Affected configurations

Vulners

Node

rubyomniauth-weibo-oauth2Range≤0.5.1

VendorProductVersionCPE
rubyomniauth-weibo-oauth2*cpe:2.3:a:ruby:omniauth-weibo-oauth2:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ruby	omniauth-weibo-oauth2	*	cpe:2.3:a:ruby:omniauth-weibo-oauth2::::::::

References

github.com/beenhero/omniauth-weibo-oauth2/issues/36

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

JSON

Related for RUBY:OMNIAUTH-WEIBO-OAUTH2-2019-17268