CVE-2024-21632

Description

omniauth-microsoft_graph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the email attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases when the email is used as a trusted user identifier. This could lead to account takeover. Version 2.0.0 contains a fix for this issue.

CVSS Version 3.1

nvd
CVE ID: CVE-2024-21632
Base Score: 9.8
Base Severity: CRITICAL
Vector String:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Impact Score: 5.9
Exploitability Score: 3.9

github
CVE ID: CVE-2024-21632
Base Score: 8.6
Base Severity: HIGH
Vector String:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Impact Score: 4.7
Exploitability Score: 3.9

Refrence: NVD MITRE

Description​

Description