CVE编号
CVE-2020-26254利用情况
暂无补丁情况
N/A披露时间
2020-12-09漏洞描述
omniauth-apple is the OmniAuth strategy for "Sign In with Apple" (RubyGem omniauth-apple). In omniauth-apple before version 1.0.1 attackers can fake their email address during authentication. This vulnerability impacts applications using the omniauth-apple strategy of OmniAuth and using the info.email field of OmniAuth's Auth Hash Schema for any kind of identification. The value of this field may be set to any value of the attacker's choice including email addresses of other users. Applications not using info.email for identification but are instead using the uid field are not impacted in the same manner. Note, these applications may still be negatively affected if the value of info.email is being used for other purposes. Applications using affected versions of omniauth-apple are advised to upgrade to omniauth-apple version 1.0.1 or later.解决建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
参考链接 |
|
|---|---|
| https://github.com/nhosoya/omniauth-apple/blob/master/CHANGELOG.md#101---2020-12-03 | |
| https://github.com/nhosoya/omniauth-apple/commit/b37d5409213adae2ca06a67fec14... | |
| https://github.com/nhosoya/omniauth-apple/security/advisories/GHSA-49r3-2549-3633 |
受影响软件情况
| # | 类型 | 厂商 | 产品 | 版本 | 影响面 | ||||
| 1 | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| 运行在以下环境 | |||||||||
| 应用 | omniauth-apple_project | omniauth-apple | * |
Up to (excluding) 1.0.1 |
|||||
- 攻击路径 网络
- 攻击复杂度 低
- 权限要求 低
- 影响范围 已更改
- 用户交互 无
- 可用性 无
- 保密性 无
- 完整性 高
还没有评论,来说两句吧...