CVE-2024-21632
8.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Summary
omniauth-microsoft_graph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the email attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases when the email is used as a trusted user identifier. This could lead to account takeover. Version 2.0.0 contains a fix for this issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| synth | omniauth-microsoft_graph | < 2.0.0 | affected |
Weaknesses
- CWE-287: CWE-287: Improper Authentication
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/synth/omniauth-microsoft_graph/security/advisories/GHSA-5g66-628f-7cvj
- https://github.com/synth/omniauth-microsoft_graph/commit/f132078389612b797c872b45bd0e0b47382414c1
- https://www.descope.com/blog/post/noauth
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://github.com/synth/omniauth-microsoft_graph/security/advisories/GHSA-5g66-628f-7cvj
- https://github.com/synth/omniauth-microsoft_graph/commit/f132078389612b797c872b45bd0e0b47382414c1
- https://www.descope.com/blog/post/noauth
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.