Bug 1707375 (CVE-2015-9284)

Summary: CVE-2015-9284 rubygem-omniauth: request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site Request Forgery leading to connection without user intent
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: axilleas, dajohnso, dmetzger, gblomqui, gmccullo, gtanzill, jaruga, jfrey, jhardy, jprause, kdixon, obarenbo, roliveri, ruby-packagers-sig, simaishi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in rubygem-omniauth. The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework. Accounts are allowed to be connected without user intent, user interaction, or feedback to the user which permits a secondary account to be able to sign into the web application as the primary account. The highest threat from this vulnerability is to data confidentiality and integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-14 04:52:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1707376, 1708813    
Bug Blocks: 1707378    

Description Marian Rehak 2019-05-07 11:55:57 UTC 
The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.

Upstream issue:
https://github.com/omniauth/omniauth/pull/809
Comment 1 Marian Rehak 2019-05-07 11:56:09 UTC 
Created rubygem-omniauth tracking bugs for this issue:

Affects: fedora-all [bug 1707376]
Comment 4 Richard Maciel Costa 2019-05-14 04:49:02 UTC 
Statement:

Red Hat CloudForms 4.5 is on maintenance support phase, thus only critical issues will be fixed.