CVE-2019-11027

NameCVE-2019-11027
DescriptionRuby OpenID (aka ruby-openid) through 2.8.0 has a remotely exploitable flaw. This library is used by Rails web applications to integrate with OpenID Providers. Severity can range from medium to critical, depending on how a web application developer chose to employ the ruby-openid library. Developers who based their OpenID integration heavily on the "example app" provided by the project are at highest risk.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: remote)
Debian Bugs930388

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-openid (PTS)jessie2.5.0debian-1undetermined
sid, buster, stretch2.7.0debian-1undetermined

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-openidsource(unstable)undeterminedhigh930388

Notes

https://github.com/openid/ruby-openid/issues/122
https://github.com/openid/ruby-openid/issues/122#issuecomment-520304211

Search for package or bug name: Reporting problems