class Dawn::Kb::CVE_2013_4562

Automatically created with rake on 2013-11-26

Public Class Methods

new() click to toggle source
Calls superclass method Dawn::Kb::DependencyCheck::new
# File lib/dawn/kb/cve_2013_4562.rb, line 7
                      def initialize
message = "Because of the way that omniauth-facebook supports setting a per-request state parameter by storing it in the session, it is possible to circumvent the automatic CSRF protection. Therefore the CSRF added in 1.4.1 should be considered broken. If you are currently providing a custom state, you will need to store and retrieve this yourself (for example, by using the session store) to use 1.5.0."
super({
  :name=>"CVE-2013-4562",
  :cvss=>"not assigned",
  :release_date => Date.new(2013, 11, 14),
  :cwe=>"",
  :owasp=>"A9", 
  :applies=>["rails", "sinatra", "padrino"],
  :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
  :message=>message,
  :mitigation=>"You must upgrade at least to 1.5.0 or later",
  :aux_links=>["https://groups.google.com/forum/#!msg/ruby-security-ann/-tJHNlTiPh4/9SJxdEWLIawJ"]
})

self.safe_dependencies = [{:name=>"omniauth-facebook", :version=>['1.5.0']}]

                      end