CVE-2024-21632: Improper Authentication
omniauth-microsoft_graph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation does not validate the legitimacy of the email attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases when the email is used as a trusted user identifier. This could lead to account takeover. Version 2.0.0 contains a fix for this issue.
References
- github.com/advisories/GHSA-5g66-628f-7cvj
- github.com/synth/omniauth-microsoft_graph/commit/5ffd62690ca0e46978f2fc7d83b18d28edde7795
- github.com/synth/omniauth-microsoft_graph/commit/f132078389612b797c872b45bd0e0b47382414c1
- github.com/synth/omniauth-microsoft_graph/security/advisories/GHSA-5g66-628f-7cvj
- nvd.nist.gov/vuln/detail/CVE-2024-21632
- www.descope.com/blog/post/noauth
Code Behaviors & Features
Detect and mitigate CVE-2024-21632 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →