Malicious Package

Affecting omniauth-weibo-oauth2 gem, versions >=0.4.6, <0.5.0

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

omniauth-weibo-oauth2 is the Weibo OAuth2 Strategy for OmniAuth 1.0.

Affected versions of this package were found to be malicious, as it included a code-execution backdoor inserted by a third party.

Remediation

Upgrade omniauth-weibo-oauth2 to version 0.5.0 or higher.

References

CVSS Score

8.0
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    Low
  • User Interaction
    Required
  • Scope
    Changed
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Credit
Maciej Mensfeld
CVE
CVE-2019-17268
CWE
CWE-506
Snyk ID
SNYK-RUBY-OMNIAUTHWEIBOOAUTH2-548310
Disclosed
07 Feb, 2020
Published
07 Feb, 2020