{"url":"http://public2.vulnerablecode.io/api/packages/408566?format=json","purl":"pkg:gem/omniauth@0.1.4","type":"gem","namespace":"","name":"omniauth","version":"0.1.4","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.0.0","latest_non_vulnerable_version":"2.0.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48604?format=json","vulnerability_id":"VCID-c39p-7ky4-mkbf","summary":"OmniAuth Ruby gem Cross-site Request Forgery in request phase\nThe request phase of the OmniAuth Ruby gem (1.9.2 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.\n\nAs of v2 OmniAuth no longer has the vulnerable configuration by default, but it is still possible to configure OmniAuth in such a way that the web application becomes vulnerable to Cross-Site Request Forgery. There is a recommended remediation described [here](https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284).","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-9284.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-9284.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-9284","reference_id":"","reference_type":"","scores":[{"value":"0.00425","scoring_system":"epss","scoring_elements":"0.62478","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-9284"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9284","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9284"},{"reference_url":"https://github.com/omniauth/omniauth","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/omniauth/omniauth"},{"reference_url":"https://github.com/omniauth/omniauth/issues/1031","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/omniauth/omniauth/issues/1031"},{"reference_url":"https://github.com/omniauth/omniauth/pull/809","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/omniauth/omniauth/pull/809"},{"reference_url":"https://github.com/omniauth/omniauth-rails/pull/1","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/omniauth/omniauth-rails/pull/1"},{"reference_url":"https://github.com/omniauth/omniauth/releases/tag/v1.9.2","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/omniauth/omniauth/releases/tag/v1.9.2"},{"reference_url":"https://github.com/omniauth/omniauth/releases/tag/v2.0.0","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/omniauth/omniauth/releases/tag/v2.0.0"},{"reference_url":"https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":""},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/omniauth/CVE-2015-9284.yml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/omniauth/CVE-2015-9284.yml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/commit/aef9f623c0be838234d53baf18977564804da397","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/commit/aef9f623c0be838234d53baf18977564804da397"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-9284","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-9284"},{"reference_url":"https://www.openwall.com/lists/oss-security/2015/05/26/11","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.openwall.com/lists/oss-security/2015/05/26/11"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1707375","reference_id":"1707375","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1707375"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973384","reference_id":"973384","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973384"},{"reference_url":"https://github.com/advisories/GHSA-ww4x-rwq6-qpgf","reference_id":"GHSA-ww4x-rwq6-qpgf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-ww4x-rwq6-qpgf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83722?format=json","purl":"pkg:gem/omniauth@2.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/omniauth@2.0.0"}],"aliases":["CVE-2015-9284","GHSA-ww4x-rwq6-qpgf"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c39p-7ky4-mkbf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47026?format=json","vulnerability_id":"VCID-mg7f-n7a6-y7fy","summary":"Omniauth allows POST parameters to be stored in session\nIn strategy.rb in OmniAuth before 1.3.2, the authenticity_token value is improperly protected because POST (in addition to GET) parameters are stored in the session and become available in the environment of the callback phase.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-18076","reference_id":"","reference_type":"","scores":[{"value":"0.00439","scoring_system":"epss","scoring_elements":"0.63438","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-18076"},{"reference_url":"https://bugs.debian.org/888523","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bugs.debian.org/888523"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18076","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18076"},{"reference_url":"https://github.com/omniauth/omniauth","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/omniauth/omniauth"},{"reference_url":"https://github.com/omniauth/omniauth/pull/867","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/omniauth/omniauth/pull/867"},{"reference_url":"https://github.com/omniauth/omniauth/pull/867/commits/71866c5264122e196847a3980c43051446a03e9b","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/omniauth/omniauth/pull/867/commits/71866c5264122e196847a3980c43051446a03e9b"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/omniauth/CVE-2017-18076.yml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/omniauth/CVE-2017-18076.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18076","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18076"},{"reference_url":"https://www.debian.org/security/2018/dsa-4109","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2018/dsa-4109"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888523","reference_id":"888523","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888523"},{"reference_url":"https://github.com/advisories/GHSA-9pr6-grf4-x2fr","reference_id":"GHSA-9pr6-grf4-x2fr","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9pr6-grf4-x2fr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81943?format=json","purl":"pkg:gem/omniauth@1.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c39p-7ky4-mkbf"},{"vulnerability":"VCID-rvp2-ahqb-4fhm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/omniauth@1.3.2"}],"aliases":["CVE-2017-18076","GHSA-9pr6-grf4-x2fr"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mg7f-n7a6-y7fy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51237?format=json","vulnerability_id":"VCID-rvp2-ahqb-4fhm","summary":"OmniAuth's `lib/omniauth/failure_endpoint.rb` does not escape `message_key` value\nlib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before 2.0) does not escape the message_key value.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-36599","reference_id":"","reference_type":"","scores":[{"value":"0.00617","scoring_system":"epss","scoring_elements":"0.70264","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-36599"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36599","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36599"},{"reference_url":"https://github.com/omniauth/omniauth","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/omniauth/omniauth"},{"reference_url":"https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00#diff-575abda9deb9b1a77bf534e898a923029b9a61e991d626db88dc6e8b34260aa2","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":""},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00#diff-575abda9deb9b1a77bf534e898a923029b9a61e991d626db88dc6e8b34260aa2"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/omniauth/CVE-2020-36599.yml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/omniauth/CVE-2020-36599.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36599","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36599"},{"reference_url":"https://rubygems.org/gems/omniauth/versions/1.9.2","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rubygems.org/gems/omniauth/versions/1.9.2"},{"reference_url":"https://github.com/advisories/GHSA-pm55-qfxr-h247","reference_id":"GHSA-pm55-qfxr-h247","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pm55-qfxr-h247"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/87548?format=json","purl":"pkg:gem/omniauth@1.9.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-c39p-7ky4-mkbf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/omniauth@1.9.2"},{"url":"http://public2.vulnerablecode.io/api/packages/83722?format=json","purl":"pkg:gem/omniauth@2.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/omniauth@2.0.0"}],"aliases":["CVE-2020-36599","GHSA-pm55-qfxr-h247"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rvp2-ahqb-4fhm"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/omniauth@0.1.4"}