CVE-2015-9284
Cross-Site Request Forgery vulnerability in omniauth (RubyGems)
What is CVE-2015-9284 About?
The OmniAuth Ruby gem (1.9.2 and earlier) is vulnerable to Cross-Site Request Forgery (CSRF) during its request phase when integrated with Ruby on Rails. This allows attackers to link user accounts without explicit user consent by exploiting the lack of CSRF protection. Exploitation can be achieved with relatively low effort through a crafted request.
Affected Software
Technical Details
The vulnerability exists in the request phase of the OmniAuth Ruby gem, specifically in versions 1.9.2 and earlier, when it is used within the Ruby on Rails framework. During the initiation of an authentication flow (the 'request phase'), OmniAuth did not adequately implement CSRF protection. An attacker can create a malicious web page that, when visited by a legitimate user logged into the target Rails application, triggers a forged request to the OmniAuth endpoint. Since the request phase did not verify the authenticity of the request (e.g., via an anti-CSRF token), the OmniAuth process would proceed, potentially linking a secondary account (controlled by the attacker) to the primary account of the victim user. This effectively allows the attacker to sign into the victim's web application account using their own secondary account, without the victim's knowledge or interaction.
What is the Impact of CVE-2015-9284?
Successful exploitation may allow attackers to link their own external accounts to a victim's account, enabling unauthorized access or session impersonation.
What is the Exploitability of CVE-2015-9284?
Exploitation of this CSRF vulnerability is of low to moderate complexity. The attacker needs to craft a malicious web page containing a forged request and trick a logged-in user into visiting it. No authentication is required for the attacker to initiate the attack, but the victim must be authenticated to the target application. This is a remote vulnerability, as the attacker delivers the malicious content to the victim's browser. The primary prerequisites involve a vulnerable version of OmniAuth integrated into a Ruby on Rails application and a lack of proper CSRF token validation during the OmniAuth request phase. The likelihood of exploitation is increased by the common use of OmniAuth for third-party authentication and the default lack of CSRF protection in earlier versions.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2015-9284?
Available Upgrade Options
- omniauth
- <2.0.0 → Upgrade to 2.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-ww4x-rwq6-qpgf
- https://github.com/omniauth/omniauth
- https://github.com/omniauth/omniauth/releases/tag/v1.9.2
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/omniauth/CVE-2015-9284.yml
- https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
- https://nvd.nist.gov/vuln/detail/CVE-2015-9284
- https://github.com/omniauth/omniauth/issues/1031
- https://www.openwall.com/lists/oss-security/2015/05/26/11
- https://github.com/omniauth/omniauth-rails/pull/1
- https://github.com/omniauth/omniauth/pull/809
What are Similar Vulnerabilities to CVE-2015-9284?
Similar Vulnerabilities: CVE-2023-38035 , CVE-2022-42171 , CVE-2021-23385 , CVE-2019-15891 , CVE-2016-0752
