CVE-2020-36599
Improper Output Neutralization vulnerability in omniauth (RubyGems)
What is CVE-2020-36599 About?
This vulnerability is an Improper Output Neutralization issue in OmniAuth, specifically affecting the message_key value in lib/omniauth/failure_endpoint.rb. It allows for potential injection due to improper escaping of data, which could lead to various client-side attacks. Exploitation is relatively straightforward if an attacker can control the message_key value.
Affected Software
- omniauth
- >=2.0.0.pre.rc1, <2.0.0
- <1.9.2
Technical Details
The vulnerability occurs because OmniAuth, in versions prior to 1.9.2 and 2.0, does not properly escape the 'message_key' value within its failure endpoint. This 'message_key' is likely rendered directly into HTML or another client-side context without appropriate sanitization. An attacker supplying specially crafted input to this parameter can inject arbitrary code or content, leading to client-side script execution (XSS) or other content manipulation, as the browser will interpret the unescaped malicious payload.
What is the Impact of CVE-2020-36599?
Successful exploitation may allow attackers to inject arbitrary web scripts or HTML, leading to client-side attacks such as Cross-Site Scripting (XSS), session hijacking, or defacement of content viewed by the user.
What is the Exploitability of CVE-2020-36599?
Exploitation of this vulnerability is of medium complexity, requiring the attacker to control the 'message_key' input, likely through URL parameters or POST data. There are no specific authentication or privilege requirements to trigger the vulnerability if the 'message_key' is derived from unauthenticated user input. It is a remote vulnerability, as the attacker can craft a malicious request from any location. The primary constraint is the attacker's ability to manipulate the 'message_key' before it is processed and rendered by the vulnerable component. Risk factors increasing likelihood include applications allowing arbitrary user-supplied input to influence URL parameters or error messages displayed to other users.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-36599?
Available Upgrade Options
- omniauth
- <1.9.2 → Upgrade to 1.9.2
- omniauth
- >=2.0.0.pre.rc1, <2.0.0 → Upgrade to 2.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/omniauth/omniauth
- https://nvd.nist.gov/vuln/detail/CVE-2020-36599
- https://osv.dev/vulnerability/GHSA-pm55-qfxr-h247
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/omniauth/CVE-2020-36599.yml
- https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00#diff-575abda9deb9b1a77bf534e898a923029b9a61e991d626db88dc6e8b34260aa2
- https://rubygems.org/gems/omniauth/versions/1.9.2
- https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00#diff-575abda9deb9b1a77bf534e898a923029b9a61e991d626db88dc6e8b34260aa2
- https://rubygems.org/gems/omniauth/versions/1.9.2
What are Similar Vulnerabilities to CVE-2020-36599?
Similar Vulnerabilities: CVE-2023-23913 , CVE-2015-9284 , CVE-2019-1002010 , CVE-2017-0904 , CVE-2018-3720
