CVE-2019-11027 — ruby-openid - security update

Description

Ruby OpenID (aka ruby-openid) through 2.8.0 has a remotely exploitable flaw. This library is used by Rails web applications to integrate with OpenID Providers. Severity can range from medium to critical, depending on how a web application developer chose to employ the ruby-openid library. Developers who based their OpenID integration heavily on the "example app" provided by the project are at highest risk.

How to fix CVE-2019-11027

To remediate CVE-2019-11027, upgrade the affected package to a fixed version below.

—upgrade to 2.9.2debian-1 or later
—upgrade to 2.5.0debian-1+deb8u1 or later
—upgrade to 2.9.0 or later

Is CVE-2019-11027 being exploited?

Low — EPSS is 1.7%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 2.9.2debian-1
from 0, < 2.5.0debian-1+deb8u1
from 0, < 2.9.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-11027
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2019-11027
PATCHgithub.com/openid/ruby-openid
WEBgithub.com/openid/ruby-openid/commit/d181a8a2099c64365a1d24b29f6b6b646673a131
WEB