CVE-2019-17268 — CRITICAL (9.8)

Vulnerability Description

The omniauth-weibo-oauth2 gem 0.4.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Versions through 0.4.5, and 0.5.1 and later, are unaffected.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Omniauth-Weibo-Oauth2 Project	Omniauth-Weibo-Oauth2	0.4.6

Related Weaknesses (CWE)

CWE-94

References

https://diff.coditsu.io/diffs/09a05c37-1b34-49e1-ac94-d4dda40d1ad1#d2h-971595PatchThird Party Advisory
https://github.com/beenhero/omniauth-weibo-oauth2/issues/36PatchThird Party Advisory
https://diff.coditsu.io/diffs/09a05c37-1b34-49e1-ac94-d4dda40d1ad1#d2h-971595PatchThird Party Advisory
https://github.com/beenhero/omniauth-weibo-oauth2/issues/36PatchThird Party Advisory

FAQ

What is CVE-2019-17268?

CVE-2019-17268 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The omniauth-weibo-oauth2 gem 0.4.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Versions through 0.4.5, and 0.5.1 and later, are unaffected.

How severe is CVE-2019-17268?

CVE-2019-17268 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2019-17268?

Check the references section above for vendor advisories and patch information. Affected products include: Omniauth-Weibo-Oauth2 Project Omniauth-Weibo-Oauth2.