CVE-2024-21632

omniauth-microsoft_graph vulnerable to account takeover (nOAuth)

CVSS 8.6 HIGHEPSS 0.9%CWE-287

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8.6EPSS 0.9%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

02 Jan 2024Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

omniauth-microsoft_graph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the `email` attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases when the `email` is used as a trusted user identifier. This could lead to account takeover. Version 2.0.0 contains a fix for this issue.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Affected products

synth · omniauth-microsoft_graph

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/synth/omniauth-microsoft_graph/commit/f132078389612b797c872b45bd0e0b47382414c1 https://github.com/synth/omniauth-microsoft_graph/security/advisories/GHSA-5g66-628f-7cvj https://www.descope.com/blog/post/noauth