CVE Vulnerabilities

CVE-2024-21632

Improper Authentication

Published: Jan 02, 2024 | Modified: Jan 09, 2024
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu

omniauth-microsoft_graph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the email attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases when the email is used as a trusted user identifier. This could lead to account takeover. Version 2.0.0 contains a fix for this issue.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name Vendor Start Version End Version
Omniauth::microsoftgraph Recognizeapp * 2.0.0 (excluding)

Potential Mitigations

References