Home > Vulnerability Database > CVE-2024-21632

Mend.io Vulnerability Database

CVE-2024-21632

Good to know:

Date: January 2, 2024

omniauth-microsoft_graph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the "email" attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases when the "email" is used as a trusted user identifier. This could lead to account takeover. Version 2.0.0 contains a fix for this issue.

Language: Ruby

Severity Score

8.6

Related Resources (7)

Url: https://github.com/synth/omniauth-microsoft_graph

Url: https://www.descope.com/blog/post/noauth

Url: https://github.com/synth/omniauth-microsoft_graph/security/advisories/GHSA-5g66-628f-7cvj

Url: https://github.com/synth/omniauth-microsoft_graph/commit/5ffd62690ca0e46978f2fc7d83b18d28edde7795

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-21632

Url: https://github.com/synth/omniauth-microsoft_graph/commit/f132078389612b797c872b45bd0e0b47382414c1

Url: https://www.mend.io/vulnerability-database/CVE-2024-21632

Severity Score

8.6

Weakness Type (CWE)

Improper Authentication

CWE-287

Top Fix

Upgrade Version

Upgrade to version omniauth-microsoft_graph - 2.0.0

Learn More

CVSS v3.1

Base Score:	8.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2024-21632

Good to know:

Date: January 2, 2024

Language: Ruby

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?