CVE-2019-17268: 
Ruby vulnerability analysis and mitigation

The omniauth-weibo-oauth2 gem version 0.4.6 for Ruby, as distributed on RubyGems.org, was compromised with a code-execution backdoor that was maliciously inserted by a third party. The vulnerability was discovered in October 2019 and was assigned CVE-2019-17268. Importantly, versions through 0.4.5, and versions 0.5.1 and later are not affected by this vulnerability (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a critical severity level. The vulnerability is classified under CWE-94, which refers to 'Improper Control of Generation of Code (Code Injection)' (NVD).

The presence of a code-execution backdoor in the gem could allow attackers to execute arbitrary code on systems where the vulnerable version is installed. Given the CVSS score and vector string, the vulnerability provides complete access to system resources, potentially compromising the confidentiality, integrity, and availability of the affected system (NVD).

Users should immediately upgrade to version 0.5.1 or later, or downgrade to version 0.4.5 or earlier, as these versions are unaffected by the vulnerability. The malicious code was only present in version 0.4.6 (NVD).

The vulnerability was reported to the CVE database by security researchers, and the issue was documented in the project's GitHub repository (GitHub Issue).