Add CVE-2015-9284 for OmniAuth (#390)

GUI · reedloden · commit 3f72cb264e49 · 2019-07-06T18:06:28.000+02:00
diff --git a/gems/omniauth/CVE-2015-9284.yml b/gems/omniauth/CVE-2015-9284.yml
@@ -0,0 +1,25 @@
+---
+gem: omniauth
+cve: 2015-9284
+url: https://github.com/omniauth/omniauth/pull/809
+title: CSRF vulnerability in OmniAuth's request phase
+date: 2015-05-25
+
+description: |
+  The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site
+  Request Forgery (CSRF) when used as part of the Ruby on Rails framework, allowing
+  accounts to be connected without user intent, user interaction, or feedback to
+  the user. This permits a secondary account to be able to sign into the web
+  application as the primary account.
+  
+  In order to mitigate this vulnerability, Rails users should consider using the
+  `omniauth-rails_csrf_protection` gem.
+  
+  More info is available here: https://github.com/omniauth/omniauth/pull/809#issuecomment-502079405
+
+cvss_v2: 6.8
+cvss_v3: 8.8
+
+related:
+  url:
+    - https://github.com/cookpad/omniauth-rails_csrf_protection
