Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
omniauth-apple allows attacker to fake their email address during authentication
Vulnerability Description
omniauth-apple is the OmniAuth strategy for "Sign In with Apple" (RubyGem omniauth-apple). In omniauth-apple before version 1.0.1 attackers can fake their email address during authentication. This vulnerability impacts applications using the omniauth-apple strategy of OmniAuth and using the info.email field of OmniAuth's Auth Hash Schema for any kind of identification. The value of this field may be set to any value of the attacker's choice including email addresses of other users. Applications not using info.email for identification but are instead using the uid field are not impacted in the same manner. Note, these applications may still be negatively affected if the value of info.email is being used for other purposes. Applications using affected versions of omniauth-apple are advised to upgrade to omniauth-apple version 1.0.1 or later.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Vulnerability Type
使用欺骗进行的认证绕过
Vulnerability Title
omniautho-apple 安全漏洞
Vulnerability Description
OmniAuth是一套利用Rack中间件实现的认证系统。 omniautho-apple 1.0.1之前版本存在安全漏洞,攻击者可利用该漏洞可以在身份验证过程中伪造他们的电子邮件地址。这个漏洞会影响使用OmniAuth的omniautho -apple策略和使用info的应用程序。
CVSS Information
N/A
Vulnerability Type
N/A