CVE-2020-36599
CRITICAL EPSS 59.6%
Published Aug 18, 20223y ago · Modified Jun 17, 20262w ago
9.8 CVSS 3.1
Published Aug 18, 2022 3y ago
Last Modified Jun 17, 2026 2w ago
Description
lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before 2.0) does not escape the message_key value.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High
Threat Intelligence
EPSS Exploit Probability
59.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-116
Affected Products 2
References 2
- github.com https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00#diff-575abda9deb9b1a77bf534e898a923029b9a61e991d626db88dc6e8b34260aa2
- rubygems.org https://rubygems.org/gems/omniauth/versions/1.9.2
Remediation
- github.com https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00#diff-575abda9deb9b1a77bf534e898a923029b9a61e991d626db88dc6e8b34260aa2