-
-
Notifications
You must be signed in to change notification settings - Fork 221
/
CVE-2020-26254.yml
44 lines (36 loc) · 1.66 KB
/
CVE-2020-26254.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
---
gem: omniauth-apple
cve: 2020-26254
ghsa: 49r3-2549-3633
url: https://github.com/nhosoya/omniauth-apple/security/advisories/GHSA-49r3-2549-3633
date: 2020-12-08
title: omniauth-apple allows attacker to fake their email address during authentication
description: |
### Impact
This vulnerability impacts applications using the [omniauth-apple](https://github.com/nhosoya/omniauth-apple) strategy of OmniAuth and using the `info.email` field of OmniAuth's [Auth Hash Schema](https://github.com/omniauth/omniauth/wiki/Auth-Hash-Schema) for any kind of identification. The value of this field may be set to any value of the attacker's choice including email addresses of other users.
For example, an application using omniauth-apple with the following code will be impacted:
```ruby
def omniauth_callback
auth_hash = request.env['omniauth.auth']
@authenticated_user = User.find_by(email: auth_hash.info.email)
end
```
Applications not using `info.email` for identification but are instead using the `uid` field are not impacted in the same manner. Note, these applications may still be negatively affected if the value of `info.email` is being used for other purposes.
### Patches
Applications using affected versions of omniauth-apple are advised to upgrade to omniauth-apple version 1.0.1 or later.
### Workarounds
If unable to upgrade to a patched version, monkey patching `OmniAuth::Strategies::Apple#email` as follows is advised as a workaround:
```ruby
module OmniAuth
module Strategies
class Apple
def email
id_info['email']
end
end
end
end
```
cvss_v3: 7.7
patched_versions:
- ">= 1.0.1"