[security] Security issue with ruby-openid library
Chris
setenforce1 at gmail.com
Wed Feb 27 00:08:42 UTC 2019
openid-security mailing list:
I have discovered a remotely exploitable weakness in the ruby-openid
library that Rails web applications use to integrate with OpenID
Providers. Severity can range from medium to critical, depending on how a
web application developer chose to implement the ruby-openid library.
Developers who based their OpenID integration heavily on the "example app"
provided by the project are at highest risk.
I hesitate to provide too much detail publicly, as I would prefer to
responsibly report the details of this issue privately, to ensure that the
OpenID community has time to confirm my findings, implement appropriate
code changes, and communicate effectively with affected developers.
Can one of the main admins on the list please suggest a viable approach?
One of the primary maintainers of the ruby-openid project could contact me
directly (reply to this email?), or I could be provided with a short list
of maintainers to contact.
Thank you
-
Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20190226/3570f323/attachment.html>
More information about the security
mailing list