Description
Ruby OpenID (aka ruby-openid) through 2.8.0 has a remotely exploitable flaw. This library is used by Rails web applications to integrate with OpenID Providers. Severity can range from medium to critical, depending on how a web application developer chose to employ the ruby-openid library. Developers who based their OpenID integration heavily on the "example app" provided by the project are at highest risk.
References (4)
Core 4
Core References
Issue Tracking x_refsource_misc
https://github.com/openid/ruby-openid/issues/122
Mailing List, Third Party Advisory x_refsource_misc
https://marc.info/?l=openid-security&m=155154717027534&w=2
Mailing List mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/10/msg00014.html
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202003-09
Scores
CVSS v3
9.8
EPSS
0.0173
EPSS Percentile
82.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (2)
openid/ruby-openid
< 2.8.0
rubygems/ruby-openid
0 - 2.9.0RubyGems
Published
Jun 10, 2019
Tracked Since
Feb 18, 2026