{"id":"UBUNTU-CVE-2017-18076","details":"In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value is improperly protected because POST (in addition to GET) parameters are stored in the session and become available in the environment of the callback phase.","modified":"2025-07-18T16:44:17Z","published":"2018-01-26T19:29:00Z","upstream":["CVE-2017-18076"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-18076"},{"type":"REPORT","url":"https://github.com/omniauth/omniauth/pull/867"},{"type":"REPORT","url":"https://bugs.debian.org/888523"},{"type":"REPORT","url":"https://github.com/omniauth/omniauth/pull/867/commits/71866c5264122e196847a3980c43051446a03e9b"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2017-18076"}],"affected":[{"package":{"name":"ruby-omniauth","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/ruby-omniauth@1.3.1-1+deb9u1build0.16.04.1?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.3.1-1+deb9u1build0.16.04.1"}]}],"versions":["1.2.2-3","1.3.1-1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"1.3.1-1+deb9u1build0.16.04.1","binary_name":"ruby-omniauth"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2017/UBUNTU-CVE-2017-18076.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"medium"}]}