| CARVIEW |
Select Language
HTTP/2 200
date: Wed, 23 Jul 2025 07:02:19 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
etag: W/"ff29e882b561f00c7c21d50947c86f77"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=L5Da6K6a%2BfJ37HhsXm%2Fu14hXYE1CbB9cR3SagK1GmV%2FdDb0g6rD6q%2F6XwBQ7O2yio%2B2BVKeSI40BgdbNGsP7hY4BPf1tZ2k8heufRgApFQtk0MK6c5nLCm1Mfi1yTJ9Vx9Vxdl2ODklVX9zVsz8k7NA2HlMC1%2Bc9PRp33qAVF0Io1zVFqWZHubMSYsLynaAeWGCppQtaIPiIjEI4IfWfFTA%2FBETgdFHLT3DmfX32FK8C%2BBji86pAfiF4%2FE4PL60dnSA597GPF9VbZBRsZzXzfA%3D%3D--wQRiozXBzaqzI26o--EMQZAMWIPtO%2F8tYu88Nm6A%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.309833866.1753254139; Path=/; Domain=github.com; Expires=Thu, 23 Jul 2026 07:02:19 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Thu, 23 Jul 2026 07:02:19 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: AA3A:351DD4:5B66C7:744228:688088FB
Omniauth allows POST parameters to be stored in session · CVE-2017-18076 · GitHub Advisory Database · GitHub
Skip to content
Navigation Menu
CVE-2017-18076
{{ message }}
Omniauth allows POST parameters to be stored in session
High severity
GitHub Reviewed
Published
Jan 29, 2018
to the GitHub Advisory Database
•
Updated Aug 28, 2023
Description
Published to the GitHub Advisory Database
Jan 29, 2018
Reviewed
Jun 16, 2020
Last updated
Aug 28, 2023
Severity
High
/ 10
CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS score
(63rd percentile)
Weaknesses
No CWEs
CVE ID
CVE-2017-18076
GHSA ID
GHSA-9pr6-grf4-x2fr
Source code
Loading
Checking history
See something to contribute?
Suggest improvements for this vulnerability.
You can’t perform that action at this time.
In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value is improperly protected because POST (in addition to GET) parameters are stored in the session and become available in the environment of the callback phase.
References