CVE-2012-6134: CSRF vulnerability, injecting state in session

April 9, 2013 (updated August 2, 2019)

The package omniauth-oauth2 for Ruby contains a flaw related to omniauth.state that allows a remote attacker to conduct a session injection attack. This flaw exists because the application, when establishing a new session, does not invalidate an existing session identifier and assign a new one. With a specially crafted request fixating the session identifier, a context-dependent attacker can ensure a user authenticates with the known session identifier, allowing the session to be subsequently hijacked.

References

web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6134
github.com/intridea/omniauth-oauth2/pull/25

Code Behaviors & Features

Detect and mitigate CVE-2012-6134 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →