Vulnerability Description
Cross-site request forgery (CSRF) vulnerability in the omniauth-oauth2 gem 1.1.1 and earlier for Ruby allows remote attackers to hijack the authentication of users for requests that modify session state.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Omniauth-Oauth2 Project | Omniauth-Oauth2 | < 1.1.1 |
Related Weaknesses (CWE)
References
- http://rubysec.github.io/advisories/CVE-2012-6134/Broken Link
- http://seclists.org/oss-sec/2013/q1/304Mailing ListThird Party Advisory
- https://gist.github.com/homakov/3673012Broken Link
- https://github.com/Shopify/omniauth-shopify-oauth2/pull/1PatchThird Party Advisory
- https://github.com/intridea/omniauth-oauth2/pull/25PatchThird Party Advisory
- http://rubysec.github.io/advisories/CVE-2012-6134/Broken Link
- http://seclists.org/oss-sec/2013/q1/304Mailing ListThird Party Advisory
- https://gist.github.com/homakov/3673012Broken Link
- https://github.com/Shopify/omniauth-shopify-oauth2/pull/1PatchThird Party Advisory
- https://github.com/intridea/omniauth-oauth2/pull/25PatchThird Party Advisory
FAQ
What is CVE-2012-6134?
CVE-2012-6134 is a vulnerability with a CVSS score of 6.8 (MEDIUM). Cross-site request forgery (CSRF) vulnerability in the omniauth-oauth2 gem 1.1.1 and earlier for Ruby allows remote attackers to hijack the authentication of users for requests that modify session sta...
How severe is CVE-2012-6134?
CVE-2012-6134 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2012-6134?
Check the references section above for vendor advisories and patch information. Affected products include: Omniauth-Oauth2 Project Omniauth-Oauth2.