Server Side Request Forgery (SSRF) Affecting ruby-openid package, versions <2.9.1
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-RUBYOPENID-449661
- published 29 Aug 2019
- disclosed 10 Jun 2019
- credit setenforce1
Introduced: 10 Jun 2019
CVE-2019-11027 Open this link in a new tabHow to fix?
Upgrade ruby-openid to version 2.9.1 or higher.
Overview
ruby-openid is a library for consuming and serving OpenID identities.
Affected versions of this package are vulnerable to Server Side Request Forgery (SSRF) via the Yadis consumer discovery functionality provided by the gem. A lack of verification can lead to a forged assertion request being manipulated to the value of the claimed_id URL parameter which can be exploited with SSRF attacks. Developers who based their OpenID integration heavily on the "example app" provided by the project are at highest risk.
For application developers, mitigations for affected apps exist:
- Disable Yadis discovery if not needed
- If Yadis discovery is required, or cannot be disabled, add your own strict checks against the value of the claimed_id URL parameter at the very beginning of OpenID 2.0 assertion processing