{"id":"CVE-2024-21632","summary":"omniauth-microsoft_graph vulnerable to account takeover (nOAuth)","details":"omniauth-microsoft_graph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the `email` attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases when the `email` is used as a trusted user identifier. This could lead to account takeover. Version 2.0.0 contains a fix for this issue.\n","aliases":["GHSA-5g66-628f-7cvj"],"modified":"2026-04-10T04:12:49.690257Z","published":"2024-01-02T21:54:54.527Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-287"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/21xxx/CVE-2024-21632.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/21xxx/CVE-2024-21632.json"},{"type":"ADVISORY","url":"https://github.com/synth/omniauth-microsoft_graph/security/advisories/GHSA-5g66-628f-7cvj"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21632"},{"type":"FIX","url":"https://github.com/synth/omniauth-microsoft_graph/commit/f132078389612b797c872b45bd0e0b47382414c1"},{"type":"ARTICLE","url":"https://www.descope.com/blog/post/noauth"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/synth/omniauth-microsoft_graph","events":[{"introduced":"0"},{"fixed":"cba8a27264d230fffa011ab9df461eb918fef375"},{"fixed":"f132078389612b797c872b45bd0e0b47382414c1"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.0.0"}]}}],"versions":["0.3.0","0.3.1","0.3.2","0.3.3","1.0.0","1.1.0","pre-oauth-v2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-21632.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"}]}