Bugzilla – Bug 1133648
VUL-1: CVE-2015-9284: rubygem-omniauth: CSRF vulnerability in OmniAuth request phase
Last modified: 2019-04-29 22:12:12 UTC
The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site Request
Forgery when used as part of the Ruby on Rails framework, allowing accounts to
be connected without user intent, user interaction, or feedback to the user.
This permits a secondary account to be able to sign into the web application as
the primary account.
is also in SUSE:SLE-12-SP3:Update:Products:CASP30 and SUSE:SLE-12-SP3:Update:Products:CASP31
the pull requests upstream seem closed, but apparently were not merged?