Lucene search

Veracode Vulnerability DatabaseVERACODE:44922

HistoryJan 03, 2024 - 7:55 a.m.

Improper Authentication

2024-01-0307:55:42

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

authentication

omniauth-microsoft_graph

email verification

oauth

account takeover

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

29.7%

JSON

omniauth-microsoft_graph is vulnerable to Improper Authentication. The vulnerability is due to missing validation of the email attribute received from Microsoft’s OAuth service. This allows an attacker to bypass the email verification in the OAuth process and takeover an account.

CPENameOperatorVersion
omniauth-microsoft_graphle1.2.0
omniauth-microsoft_graphle1.2.0

CPE	Name	Operator	Version
	omniauth-microsoft_graph	le	1.2.0
	omniauth-microsoft_graph	le	1.2.0

References

github.com/synth/omniauth-microsoft_graph/commit/f132078389612b797c872b45bd0e0b47382414c1

github.com/synth/omniauth-microsoft_graph/security/advisories/GHSA-5g66-628f-7cvj

www.descope.com/blog/post/noauth

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

29.7%

JSON

Related for VERACODE:44922