Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured. This issue is fixed in version 5.6.6.
Advisories
Source ID Title
Debian DLA Debian DLA DLA-3494-1 ruby-doorkeeper security update
Debian DLA Debian DLA DLA-3989-1 ruby-doorkeeper security update
EUVD EUVD EUVD-2023-1739 Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured. This issue is fixed in version 5.6.6.
Github GHSA Github GHSA GHSA-7w2c-w47h-789w Doorkeeper Improper Authentication vulnerability
Ubuntu USN Ubuntu USN USN-6210-1 Doorkeeper vulnerability
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Sat, 04 Jan 2025 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 09 Dec 2024 05:30:00 +0000

Type Values Removed Values Added
References

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2025-02-13T16:55:25.344Z

Reserved: 2023-05-31T13:51:51.173Z

Link: CVE-2023-34246

cve-icon Vulnrichment

Updated: 2024-12-09T05:03:22.873Z

cve-icon NVD

Status : Modified

Published: 2023-06-12T17:15:09.967

Modified: 2024-12-09T05:15:04.823

Link: CVE-2023-34246

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.