CVE-2024-21632

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-21632

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-21632.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-21632

Aliases

GHSA-5g66-628f-7cvj

Published

2024-01-02T21:54:54Z

Modified

2025-10-30T20:23:37.141688Z

Severity

8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L CVSS Calculator

Summary

omniauth-microsoft_graph vulnerable to account takeover (nOAuth)

Details

omniauth-microsoft_graph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the email attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases when the email is used as a trusted user identifier. This could lead to account takeover. Version 2.0.0 contains a fix for this issue.

Database specific

{
    "cwe_ids": [
        "CWE-287"
    ]
}

References

Affected packages

Git / github.com/synth/omniauth-microsoft_graph

Affected ranges

Type: GIT
Repo: https://github.com/synth/omniauth-microsoft_graph
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

cba8a27264d230fffa011ab9df461eb918fef375

Affected versions

0.*

0.3.0

0.3.1

0.3.2

0.3.3

1.*

1.0.0

1.1.0

Other

pre-oauth-v2