CVE-2019-17268 report for omniauth-weibo-oauth2

[mensfeld]

Hey,

I took courtesy of reporting the malicious code injection in 0.4.6 into the CVE database.

https://diff.coditsu.io/gems/omniauth-weibo-oauth2/0.4.3/0.4.6

Just wanted to let you know. They initially assigned the CVE-2019-17268.

[NeverMin]

Hi Maciej, thank you, i will take a look at tomorrow.

…

-Never Maciej Mensfeld <notifications@github.com> 于2019年10月9日周三 下午8:17写道：

Hey, I took courtesy of reporting the malicious code injection in 0.4.6 into the CVE database. https://diff.coditsu.io/gems/omniauth-weibo-oauth2/0.4.3/0.4.6 Just wanted to let you know. They initially assigned the CVE-2019-17268. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#36?email_source=notifications&email_token=AAVK66GIST2QQWQBZM2Y563QNXDW5A5CNFSM4I66SKI2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HQTZIXQ>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAVK66BSIILGTVYZJKNFUULQNXDW5ANCNFSM4I66SKIQ> .

[mensfeld]

ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17268

I believe that info about this breach should be more exposed.

[NeverMin]

Hi @mensfeld ,

Thank you for your information, get a CVE number make me feel surprised, I sent the abuse report to ISP for now. more information see the Issue report please:

EDITED:
Server OFFLINE at 21:31 CST

update the report:

[mensfeld]

Thank you! I did id so tools like bundler-audit can catch it.

Too many people use automatic dependencies upgrade tools, that's why I'm super paranoic about stuff like this.

I will close this issue as now it's on the Mitre side to verify.