Search criteria
2 vulnerabilities found for doorkeeper by doorkeeper-gem
CVE-2023-34246 (GCVE-0-2023-34246)
Vulnerability from cvelistv5 – Published: 2023-06-12 16:33 – Updated: 2025-02-13 16:55
VLAI?
Summary
Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured. This issue is fixed in version 5.6.6.
Severity ?
4.2 (Medium)
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| doorkeeper-gem | doorkeeper |
Affected:
< 5.6.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-12-09T05:03:22.873Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/issues/1589",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/1589"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/pull/1646",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/1646"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6"
},
{
"name": "https://www.rfc-editor.org/rfc/rfc8252#section-8.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.rfc-editor.org/rfc/rfc8252#section-8.6"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00016.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00010.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34246",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-03T23:12:01.958465Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T23:17:33.503Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "doorkeeper",
"vendor": "doorkeeper-gem",
"versions": [
{
"status": "affected",
"version": "\u003c 5.6.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured. This issue is fixed in version 5.6.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-12T14:06:18.837Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/issues/1589",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/1589"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/pull/1646",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/1646"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6"
},
{
"name": "https://www.rfc-editor.org/rfc/rfc8252#section-8.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.rfc-editor.org/rfc/rfc8252#section-8.6"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00016.html"
}
],
"source": {
"advisory": "GHSA-7w2c-w47h-789w",
"discovery": "UNKNOWN"
},
"title": "Doorkeeper Improper Authentication vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-34246",
"datePublished": "2023-06-12T16:33:05.704Z",
"dateReserved": "2023-05-31T13:51:51.173Z",
"dateUpdated": "2025-02-13T16:55:25.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-34246 (GCVE-0-2023-34246)
Vulnerability from nvd – Published: 2023-06-12 16:33 – Updated: 2025-02-13 16:55
VLAI?
Summary
Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured. This issue is fixed in version 5.6.6.
Severity ?
4.2 (Medium)
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| doorkeeper-gem | doorkeeper |
Affected:
< 5.6.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-12-09T05:03:22.873Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/issues/1589",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/1589"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/pull/1646",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/1646"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6"
},
{
"name": "https://www.rfc-editor.org/rfc/rfc8252#section-8.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.rfc-editor.org/rfc/rfc8252#section-8.6"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00016.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00010.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34246",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-03T23:12:01.958465Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T23:17:33.503Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "doorkeeper",
"vendor": "doorkeeper-gem",
"versions": [
{
"status": "affected",
"version": "\u003c 5.6.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured. This issue is fixed in version 5.6.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-12T14:06:18.837Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/issues/1589",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/1589"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/pull/1646",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/1646"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6"
},
{
"name": "https://www.rfc-editor.org/rfc/rfc8252#section-8.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.rfc-editor.org/rfc/rfc8252#section-8.6"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00016.html"
}
],
"source": {
"advisory": "GHSA-7w2c-w47h-789w",
"discovery": "UNKNOWN"
},
"title": "Doorkeeper Improper Authentication vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-34246",
"datePublished": "2023-06-12T16:33:05.704Z",
"dateReserved": "2023-05-31T13:51:51.173Z",
"dateUpdated": "2025-02-13T16:55:25.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}