CVE-2019-17268
CRITICALomniauth-weibo-oauth2 0.4.6 - Remote Code Execution via Malicious Gem
Title source: llmDescription
The omniauth-weibo-oauth2 gem 0.4.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Versions through 0.4.5, and 0.5.1 and later, are unaffected.
References (2)
Core 2
Core References
Patch, Third Party Advisory x_refsource_misc
https://diff.coditsu.io/diffs/09a05c37-1b34-49e1-ac94-d4dda40d1ad1#d2h-971595
Patch, Third Party Advisory x_refsource_confirm
https://github.com/beenhero/omniauth-weibo-oauth2/issues/36
Scores
CVSS v3
9.8
EPSS
0.0065
EPSS Percentile
71.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-94
Status
published
Products (2)
omniauth-weibo-oauth2_project/omniauth-weibo-oauth2
0.4.6
rubygems/omniauth-weibo-oauth2
0.4.6 - 0.5.1RubyGems
Published
Feb 07, 2020
Tracked Since
Feb 18, 2026