CVE-2020-26254

{"id": "CVE-2020-26254", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 3.1}]}, "published": "2020-12-08T15:15:11.130", "references": [{"url": "https://github.com/nhosoya/omniauth-apple/blob/master/CHANGELOG.md#101---2020-12-03", "tags": ["Release Notes", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nhosoya/omniauth-apple/commit/b37d5409213adae2ca06a67fec14c8d3d07d9016", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nhosoya/omniauth-apple/security/advisories/GHSA-49r3-2549-3633", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nhosoya/omniauth-apple/blob/master/CHANGELOG.md#101---2020-12-03", "tags": ["Release Notes", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/nhosoya/omniauth-apple/commit/b37d5409213adae2ca06a67fec14c8d3d07d9016", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/nhosoya/omniauth-apple/security/advisories/GHSA-49r3-2549-3633", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-290"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-290"}]}], "descriptions": [{"lang": "en", "value": "omniauth-apple is the OmniAuth strategy for \"Sign In with Apple\" (RubyGem omniauth-apple). In omniauth-apple before version 1.0.1 attackers can fake their email address during authentication. This vulnerability impacts applications using the omniauth-apple strategy of OmniAuth and using the info.email field of OmniAuth's Auth Hash Schema for any kind of identification. The value of this field may be set to any value of the attacker's choice including email addresses of other users. Applications not using info.email for identification but are instead using the uid field are not impacted in the same manner. Note, these applications may still be negatively affected if the value of info.email is being used for other purposes. Applications using affected versions of omniauth-apple are advised to upgrade to omniauth-apple version 1.0.1 or later."}, {"lang": "es", "value": "omniauth-apple es la estrategia de OmniAuth para \"Sign In with Apple\" (RubyGem omniauth-apple). En omniauth-apple anterior a versi\u00f3n 1.0.1, los atacantes pueden falsificar su direcci\u00f3n de correo electr\u00f3nico durante la autenticaci\u00f3n. Esta vulnerabilidad afecta a las aplicaciones que usan la estrategia omniauth-apple de OmniAuth y el campo info.email del Auth Hash Schema de OmniAuth para cualquier tipo de identificaci\u00f3n. El valor de este campo puede ser establecido en cualquier valor que elija el atacante, incluyendo las direcciones de correo electr\u00f3nico de otros usuarios. Las aplicaciones que no usan info.email para la identificaci\u00f3n, sino que en su lugar usan el campo uid, no est\u00e1n afectadas de la misma manera. Tome en cuenta que estas aplicaciones a\u00fan pueden estar afectadas negativamente si el valor de info.email se utiliza para otros fines. Se recomienda a las aplicaciones que utilizan versiones afectadas de omniauth-apple que se actualicen a omniauth-apple versi\u00f3n 1.0"}], "lastModified": "2024-11-21T05:19:40.250", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:omniauth-apple_project:omniauth-apple:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "D5C95EE3-9B9F-4092-A4F6-1DA130F196EC", "versionEndExcluding": "1.0.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}