Search criteria
18 vulnerabilities found for doorkeeper by doorkeeper_project
FKIE_CVE-2023-34246
Vulnerability from fkie_nvd - Published: 2023-06-12 17:15 - Updated: 2024-12-09 05:15
Severity ?
4.2 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured. This issue is fixed in version 5.6.6.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| doorkeeper_project | doorkeeper | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:doorkeeper_project:doorkeeper:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "641ABDD9-506A-4C4D-9841-3CBECA3E5D0B",
"versionEndExcluding": "5.6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured. This issue is fixed in version 5.6.6."
}
],
"id": "CVE-2023-34246",
"lastModified": "2024-12-09T05:15:04.823",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-12T17:15:09.967",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Issue Tracking"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/1589"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/1646"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00016.html"
},
{
"source": "security-advisories@github.com",
"tags": [
"Technical Description"
],
"url": "https://www.rfc-editor.org/rfc/rfc8252#section-8.6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/1589"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/1646"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00016.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00010.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Technical Description"
],
"url": "https://www.rfc-editor.org/rfc/rfc8252#section-8.6"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-10187
Vulnerability from fkie_nvd - Published: 2020-05-04 14:15 - Updated: 2024-11-21 04:54
Severity ?
Summary
Doorkeeper version 5.0.0 and later contains an information disclosure vulnerability that allows an attacker to retrieve the client secret only intended for the OAuth application owner. After authorizing the application and allowing access, the attacker simply needs to request the list of their authorized applications in a JSON format (usually GET /oauth/authorized_applications.json). An application is vulnerable if the authorized applications controller is enabled.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| doorkeeper_project | doorkeeper | * | |
| doorkeeper_project | doorkeeper | * | |
| doorkeeper_project | doorkeeper | * | |
| doorkeeper_project | doorkeeper | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:doorkeeper_project:doorkeeper:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "45324471-B8B5-4BD5-88D8-FDADD7068460",
"versionEndExcluding": "5.0.3",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:doorkeeper_project:doorkeeper:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "396ABBC9-1CC7-4E2C-96AA-784425C3316D",
"versionEndExcluding": "5.1.1",
"versionStartIncluding": "5.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:doorkeeper_project:doorkeeper:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "FB61DD54-2340-4B7D-B370-E82E4AA88A1F",
"versionEndExcluding": "5.2.5",
"versionStartIncluding": "5.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:doorkeeper_project:doorkeeper:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "A79B9E86-2EBC-4452-BCAF-6180E3AB37C7",
"versionEndExcluding": "5.3.2",
"versionStartIncluding": "5.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Doorkeeper version 5.0.0 and later contains an information disclosure vulnerability that allows an attacker to retrieve the client secret only intended for the OAuth application owner. After authorizing the application and allowing access, the attacker simply needs to request the list of their authorized applications in a JSON format (usually GET /oauth/authorized_applications.json). An application is vulnerable if the authorized applications controller is enabled."
},
{
"lang": "es",
"value": "Doorkeeper versi\u00f3n 5.0.0 y posteriores, contienen una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n que permite a un atacante recuperar el secreto del cliente previsto \u00fanicamente para el propietario de la aplicaci\u00f3n OAuth. Despu\u00e9s de autorizar la aplicaci\u00f3n y permitir el acceso, el atacante simplemente necesita solicitar la lista de sus aplicaciones autorizadas en un formato JSON (normalmente GET /oauth/authorized_applications.json). Una aplicaci\u00f3n es vulnerable si el controlador de aplicaciones autorizadas est\u00e1 habilitado."
}
],
"id": "CVE-2020-10187",
"lastModified": "2024-11-21T04:54:55.790",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-05-04T14:15:13.013",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/commit/25d038022c2fcad45af5b73f9d003cf38ff491f6"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-j7vx-8mqj-cqp9"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/rubysec/ruby-advisory-db/pull/446"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/commit/25d038022c2fcad45af5b73f9d003cf38ff491f6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-j7vx-8mqj-cqp9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/rubysec/ruby-advisory-db/pull/446"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2018-1000211
Vulnerability from fkie_nvd - Published: 2018-07-13 18:29 - Updated: 2024-11-21 03:39
Severity ?
Summary
Doorkeeper version 4.2.0 and later contains a Incorrect Access Control vulnerability in Token revocation API's authorized method that can result in Access tokens are not revoked for public OAuth apps, leaking access until expiry.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/doorkeeper-gem/doorkeeper/issues/891 | Third Party Advisory | |
| cve@mitre.org | https://github.com/doorkeeper-gem/doorkeeper/pull/1119 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/doorkeeper-gem/doorkeeper/issues/891 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/doorkeeper-gem/doorkeeper/pull/1119 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| doorkeeper_project | doorkeeper | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:doorkeeper_project:doorkeeper:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7D31753A-773E-43B2-B53E-7C293E278617",
"versionEndIncluding": "4.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Doorkeeper version 4.2.0 and later contains a Incorrect Access Control vulnerability in Token revocation API\u0027s authorized method that can result in Access tokens are not revoked for public OAuth apps, leaking access until expiry."
},
{
"lang": "es",
"value": "Doorkeeper en versiones 4.2.0 y posteriores contiene una vulnerabilidad de control de acceso incorrecto en el m\u00e9todo autorizado de la API de revocaci\u00f3n de tokens que puede resultar en que los tokens de acceso no se revocan para las aplicaciones p\u00fablicas de OAuth, filtrando el acceso hasta que expiran."
}
],
"id": "CVE-2018-1000211",
"lastModified": "2024-11-21T03:39:56.953",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-07-13T18:29:00.443",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/891"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/1119"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/891"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/1119"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2018-1000088
Vulnerability from fkie_nvd - Published: 2018-03-13 15:29 - Updated: 2024-11-21 03:39
Severity ?
Summary
Doorkeeper version 2.1.0 through 4.2.5 contains a Cross Site Scripting (XSS) vulnerability in web view's OAuth app form, user authorization prompt web view that can result in Stored XSS on the OAuth Client's name will cause users interacting with it will execute payload. This attack appear to be exploitable via The victim must be tricked to click an opaque link to the web view that runs the XSS payload. A malicious version virtually indistinguishable from a normal link.. This vulnerability appears to have been fixed in 4.2.6, 4.3.0.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| doorkeeper_project | doorkeeper | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:doorkeeper_project:doorkeeper:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "36AA1694-5C54-45E3-85B5-2DF8C338EFE3",
"versionEndIncluding": "4.2.5",
"versionStartIncluding": "2.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Doorkeeper version 2.1.0 through 4.2.5 contains a Cross Site Scripting (XSS) vulnerability in web view\u0027s OAuth app form, user authorization prompt web view that can result in Stored XSS on the OAuth Client\u0027s name will cause users interacting with it will execute payload. This attack appear to be exploitable via The victim must be tricked to click an opaque link to the web view that runs the XSS payload. A malicious version virtually indistinguishable from a normal link.. This vulnerability appears to have been fixed in 4.2.6, 4.3.0."
},
{
"lang": "es",
"value": "Doorkeeper, de la versi\u00f3n 2.1.0 hasta la 4.2.5, contiene una vulnerabilidad de Cross-Site Scripting (XSS) en el formulario de aplicaci\u00f3n OAuth de la vista web, concretamente en la vista de mensaje de autorizaci\u00f3n, que puede resultar en Cross-Site Scripting (XSS) persistente en el nombre del cliente OAuth. Esto har\u00e1 que los usuarios que interact\u00faen con el ejecuten cargas \u00fatiles. El ataque parece ser explotable si la v\u00edctima es enga\u00f1ada para que haga clic en un enlace opaco a la vista web que ejecuta la carga \u00fatil XSS. Una versi\u00f3n maliciosa es virtualmente imposible de distinguir de un enlace normal. La vulnerabilidad parece haber sido solucionada en las versiones 4.2.6 y 4.3.0."
}
],
"id": "CVE-2018-1000088",
"lastModified": "2024-11-21T03:39:37.033",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-03-13T15:29:01.300",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/969"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/970"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v4.3.0"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/rubysec/ruby-advisory-db/pull/328/files"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/969"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/970"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v4.3.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/rubysec/ruby-advisory-db/pull/328/files"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2016-6582
Vulnerability from fkie_nvd - Published: 2017-01-23 21:59 - Updated: 2025-04-20 01:37
Severity ?
Summary
The Doorkeeper gem before 4.2.0 for Ruby might allow remote attackers to conduct replay attacks or revoke arbitrary tokens by leveraging failure to implement the OAuth 2.0 Token Revocation specification.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| doorkeeper_project | doorkeeper | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:doorkeeper_project:doorkeeper:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "C1D455D8-18C2-4CC1-B959-09F3A1E5B66F",
"versionEndIncluding": "4.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Doorkeeper gem before 4.2.0 for Ruby might allow remote attackers to conduct replay attacks or revoke arbitrary tokens by leveraging failure to implement the OAuth 2.0 Token Revocation specification."
},
{
"lang": "es",
"value": "El Doorkeeper gem en versiones anteriores a 4.2.0 para Ruby podr\u00edan permitir a atacantes remotos llevar a cabo ataques de repetici\u00f3n o revocar tokens arbitrarios aprovechando el fallo para implementar la especificaci\u00f3n OAuth 2.0 Token Revocation."
}
],
"id": "CVE-2016-6582",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-23T21:59:02.110",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/138430/Doorkeeper-4.1.0-Token-Revocation.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2016/Aug/105"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/539268/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/92551"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/875"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v4.2.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/138430/Doorkeeper-4.1.0-Token-Revocation.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2016/Aug/105"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/539268/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/92551"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/875"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v4.2.0"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-254"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2014-8144
Vulnerability from fkie_nvd - Published: 2014-12-31 22:59 - Updated: 2025-04-12 10:46
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in doorkeeper before 1.4.1 allows remote attackers to hijack the authentication of unspecified victims for requests that read a user OAuth authorization code via unknown vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| doorkeeper_project | doorkeeper | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:doorkeeper_project:doorkeeper:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "EC6F3A8C-EC53-4408-9D38-E968CDFBA015",
"versionEndIncluding": "1.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in doorkeeper before 1.4.1 allows remote attackers to hijack the authentication of unspecified victims for requests that read a user OAuth authorization code via unknown vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de CSRF en doorkeeper anterior a 1.4.1 permite a atacantes remotos secuestrar la autenticaci\u00f3n de victimas no especificadas para solicitudes que leen un c\u00f3digo de autorizaci\u00f3n de usuario OAuth a trav\u00e9s de vectores desconocidos."
}
],
"id": "CVE-2014-8144",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-12-31T22:59:02.630",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://seclists.org/oss-sec/2014/q4/1076"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99342"
},
{
"source": "secalert@redhat.com",
"url": "https://github.com/doorkeeper-gem/doorkeeper/blob/master/CHANGELOG.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/oss-sec/2014/q4/1076"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99342"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/doorkeeper-gem/doorkeeper/blob/master/CHANGELOG.md"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2023-34246 (GCVE-0-2023-34246)
Vulnerability from cvelistv5 – Published: 2023-06-12 16:33 – Updated: 2025-02-13 16:55
VLAI?
Title
Doorkeeper Improper Authentication vulnerability
Summary
Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured. This issue is fixed in version 5.6.6.
Severity ?
4.2 (Medium)
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| doorkeeper-gem | doorkeeper |
Affected:
< 5.6.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-12-09T05:03:22.873Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/issues/1589",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/1589"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/pull/1646",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/1646"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6"
},
{
"name": "https://www.rfc-editor.org/rfc/rfc8252#section-8.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.rfc-editor.org/rfc/rfc8252#section-8.6"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00016.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00010.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34246",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-03T23:12:01.958465Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T23:17:33.503Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "doorkeeper",
"vendor": "doorkeeper-gem",
"versions": [
{
"status": "affected",
"version": "\u003c 5.6.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured. This issue is fixed in version 5.6.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-12T14:06:18.837Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/issues/1589",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/1589"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/pull/1646",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/1646"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6"
},
{
"name": "https://www.rfc-editor.org/rfc/rfc8252#section-8.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.rfc-editor.org/rfc/rfc8252#section-8.6"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00016.html"
}
],
"source": {
"advisory": "GHSA-7w2c-w47h-789w",
"discovery": "UNKNOWN"
},
"title": "Doorkeeper Improper Authentication vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-34246",
"datePublished": "2023-06-12T16:33:05.704Z",
"dateReserved": "2023-05-31T13:51:51.173Z",
"dateUpdated": "2025-02-13T16:55:25.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10187 (GCVE-0-2020-10187)
Vulnerability from cvelistv5 – Published: 2020-05-04 13:19 – Updated: 2024-08-04 10:58
VLAI?
Summary
Doorkeeper version 5.0.0 and later contains an information disclosure vulnerability that allows an attacker to retrieve the client secret only intended for the OAuth application owner. After authorizing the application and allowing access, the attacker simply needs to request the list of their authorized applications in a JSON format (usually GET /oauth/authorized_applications.json). An application is vulnerable if the authorized applications controller is enabled.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:58:39.628Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/commit/25d038022c2fcad45af5b73f9d003cf38ff491f6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-j7vx-8mqj-cqp9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rubysec/ruby-advisory-db/pull/446"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Doorkeeper version 5.0.0 and later contains an information disclosure vulnerability that allows an attacker to retrieve the client secret only intended for the OAuth application owner. After authorizing the application and allowing access, the attacker simply needs to request the list of their authorized applications in a JSON format (usually GET /oauth/authorized_applications.json). An application is vulnerable if the authorized applications controller is enabled."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-04T13:19:04",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/commit/25d038022c2fcad45af5b73f9d003cf38ff491f6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-j7vx-8mqj-cqp9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rubysec/ruby-advisory-db/pull/446"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-10187",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Doorkeeper version 5.0.0 and later contains an information disclosure vulnerability that allows an attacker to retrieve the client secret only intended for the OAuth application owner. After authorizing the application and allowing access, the attacker simply needs to request the list of their authorized applications in a JSON format (usually GET /oauth/authorized_applications.json). An application is vulnerable if the authorized applications controller is enabled."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/releases",
"refsource": "MISC",
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/commit/25d038022c2fcad45af5b73f9d003cf38ff491f6",
"refsource": "MISC",
"url": "https://github.com/doorkeeper-gem/doorkeeper/commit/25d038022c2fcad45af5b73f9d003cf38ff491f6"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-j7vx-8mqj-cqp9",
"refsource": "MISC",
"url": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-j7vx-8mqj-cqp9"
},
{
"name": "https://github.com/rubysec/ruby-advisory-db/pull/446",
"refsource": "MISC",
"url": "https://github.com/rubysec/ruby-advisory-db/pull/446"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-10187",
"datePublished": "2020-05-04T13:19:04",
"dateReserved": "2020-03-06T00:00:00",
"dateUpdated": "2024-08-04T10:58:39.628Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1000211 (GCVE-0-2018-1000211)
Vulnerability from cvelistv5 – Published: 2018-07-13 18:00 – Updated: 2024-09-17 03:34
VLAI?
Summary
Doorkeeper version 4.2.0 and later contains a Incorrect Access Control vulnerability in Token revocation API's authorized method that can result in Access tokens are not revoked for public OAuth apps, leaking access until expiry.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:40:46.722Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/1119"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/891"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2018-07-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Doorkeeper version 4.2.0 and later contains a Incorrect Access Control vulnerability in Token revocation API\u0027s authorized method that can result in Access tokens are not revoked for public OAuth apps, leaking access until expiry."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-13T18:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/1119"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/891"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2018-07-10T20:50:24.886897",
"DATE_REQUESTED": "2018-07-10T20:32:02",
"ID": "CVE-2018-1000211",
"REQUESTER": "me@justinbull.ca",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Doorkeeper version 4.2.0 and later contains a Incorrect Access Control vulnerability in Token revocation API\u0027s authorized method that can result in Access tokens are not revoked for public OAuth apps, leaking access until expiry."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/pull/1119",
"refsource": "CONFIRM",
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/1119"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/issues/891",
"refsource": "CONFIRM",
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/891"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000211",
"datePublished": "2018-07-13T18:00:00Z",
"dateReserved": "2018-07-13T00:00:00Z",
"dateUpdated": "2024-09-17T03:34:15.741Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1000088 (GCVE-0-2018-1000088)
Vulnerability from cvelistv5 – Published: 2018-03-13 15:00 – Updated: 2024-08-05 12:33
VLAI?
Summary
Doorkeeper version 2.1.0 through 4.2.5 contains a Cross Site Scripting (XSS) vulnerability in web view's OAuth app form, user authorization prompt web view that can result in Stored XSS on the OAuth Client's name will cause users interacting with it will execute payload. This attack appear to be exploitable via The victim must be tricked to click an opaque link to the web view that runs the XSS payload. A malicious version virtually indistinguishable from a normal link.. This vulnerability appears to have been fixed in 4.2.6, 4.3.0.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:33:49.282Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rubysec/ruby-advisory-db/pull/328/files"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/969"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v4.3.0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/970"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2018-02-17T00:00:00",
"datePublic": "2018-03-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Doorkeeper version 2.1.0 through 4.2.5 contains a Cross Site Scripting (XSS) vulnerability in web view\u0027s OAuth app form, user authorization prompt web view that can result in Stored XSS on the OAuth Client\u0027s name will cause users interacting with it will execute payload. This attack appear to be exploitable via The victim must be tricked to click an opaque link to the web view that runs the XSS payload. A malicious version virtually indistinguishable from a normal link.. This vulnerability appears to have been fixed in 4.2.6, 4.3.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-13T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rubysec/ruby-advisory-db/pull/328/files"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/969"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v4.3.0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/970"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2/17/2018 11:44:44",
"ID": "CVE-2018-1000088",
"REQUESTER": "me@justinbull.ca",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Doorkeeper version 2.1.0 through 4.2.5 contains a Cross Site Scripting (XSS) vulnerability in web view\u0027s OAuth app form, user authorization prompt web view that can result in Stored XSS on the OAuth Client\u0027s name will cause users interacting with it will execute payload. This attack appear to be exploitable via The victim must be tricked to click an opaque link to the web view that runs the XSS payload. A malicious version virtually indistinguishable from a normal link.. This vulnerability appears to have been fixed in 4.2.6, 4.3.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rubysec/ruby-advisory-db/pull/328/files",
"refsource": "MISC",
"url": "https://github.com/rubysec/ruby-advisory-db/pull/328/files"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/issues/969",
"refsource": "MISC",
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/969"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v4.3.0",
"refsource": "MISC",
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v4.3.0"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/pull/970",
"refsource": "MISC",
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/970"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000088",
"datePublished": "2018-03-13T15:00:00",
"dateReserved": "2018-02-21T00:00:00",
"dateUpdated": "2024-08-05T12:33:49.282Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-6582 (GCVE-0-2016-6582)
Vulnerability from cvelistv5 – Published: 2017-01-23 21:00 – Updated: 2024-08-06 01:36
VLAI?
Summary
The Doorkeeper gem before 4.2.0 for Ruby might allow remote attackers to conduct replay attacks or revoke arbitrary tokens by leveraging failure to implement the OAuth 2.0 Token Revocation specification.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T01:36:28.287Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "92551",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/92551"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/138430/Doorkeeper-4.1.0-Token-Revocation.html"
},
{
"name": "20160818 [CVE-2016-6582] Doorkeeper gem does not revoke tokens \u0026 uses wrong auth/auth method",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/539268/100/0/threaded"
},
{
"name": "20160822 [CVE-2016-6582] Doorkeeper gem does not revoke tokens \u0026 uses wrong auth/auth method",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2016/Aug/105"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v4.2.0"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/875"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-08-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Doorkeeper gem before 4.2.0 for Ruby might allow remote attackers to conduct replay attacks or revoke arbitrary tokens by leveraging failure to implement the OAuth 2.0 Token Revocation specification."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "92551",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/92551"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/138430/Doorkeeper-4.1.0-Token-Revocation.html"
},
{
"name": "20160818 [CVE-2016-6582] Doorkeeper gem does not revoke tokens \u0026 uses wrong auth/auth method",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/539268/100/0/threaded"
},
{
"name": "20160822 [CVE-2016-6582] Doorkeeper gem does not revoke tokens \u0026 uses wrong auth/auth method",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2016/Aug/105"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v4.2.0"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/875"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-6582",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Doorkeeper gem before 4.2.0 for Ruby might allow remote attackers to conduct replay attacks or revoke arbitrary tokens by leveraging failure to implement the OAuth 2.0 Token Revocation specification."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "92551",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/92551"
},
{
"name": "http://packetstormsecurity.com/files/138430/Doorkeeper-4.1.0-Token-Revocation.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/138430/Doorkeeper-4.1.0-Token-Revocation.html"
},
{
"name": "20160818 [CVE-2016-6582] Doorkeeper gem does not revoke tokens \u0026 uses wrong auth/auth method",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/539268/100/0/threaded"
},
{
"name": "20160822 [CVE-2016-6582] Doorkeeper gem does not revoke tokens \u0026 uses wrong auth/auth method",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2016/Aug/105"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v4.2.0",
"refsource": "CONFIRM",
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v4.2.0"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/issues/875",
"refsource": "CONFIRM",
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/875"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-6582",
"datePublished": "2017-01-23T21:00:00",
"dateReserved": "2016-08-03T00:00:00",
"dateUpdated": "2024-08-06T01:36:28.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-8144 (GCVE-0-2014-8144)
Vulnerability from cvelistv5 – Published: 2014-12-31 22:00 – Updated: 2024-08-06 13:10
VLAI?
Summary
Cross-site request forgery (CSRF) vulnerability in doorkeeper before 1.4.1 allows remote attackers to hijack the authentication of unspecified victims for requests that read a user OAuth authorization code via unknown vectors.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:10:50.952Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/blob/master/CHANGELOG.md"
},
{
"name": "doorkeeper-cve20148144-csrf(99342)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99342"
},
{
"name": "[oss-security] 20141217 [CVE-2014-8144] CSRF vulnerability in doorkeeper",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2014/q4/1076"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-12-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in doorkeeper before 1.4.1 allows remote attackers to hijack the authentication of unspecified victims for requests that read a user OAuth authorization code via unknown vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-07T15:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/blob/master/CHANGELOG.md"
},
{
"name": "doorkeeper-cve20148144-csrf(99342)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99342"
},
{
"name": "[oss-security] 20141217 [CVE-2014-8144] CSRF vulnerability in doorkeeper",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2014/q4/1076"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-8144",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in doorkeeper before 1.4.1 allows remote attackers to hijack the authentication of unspecified victims for requests that read a user OAuth authorization code via unknown vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/blob/master/CHANGELOG.md",
"refsource": "CONFIRM",
"url": "https://github.com/doorkeeper-gem/doorkeeper/blob/master/CHANGELOG.md"
},
{
"name": "doorkeeper-cve20148144-csrf(99342)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99342"
},
{
"name": "[oss-security] 20141217 [CVE-2014-8144] CSRF vulnerability in doorkeeper",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2014/q4/1076"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2014-8144",
"datePublished": "2014-12-31T22:00:00",
"dateReserved": "2014-10-10T00:00:00",
"dateUpdated": "2024-08-06T13:10:50.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-34246 (GCVE-0-2023-34246)
Vulnerability from nvd – Published: 2023-06-12 16:33 – Updated: 2025-02-13 16:55
VLAI?
Title
Doorkeeper Improper Authentication vulnerability
Summary
Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured. This issue is fixed in version 5.6.6.
Severity ?
4.2 (Medium)
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| doorkeeper-gem | doorkeeper |
Affected:
< 5.6.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-12-09T05:03:22.873Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/issues/1589",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/1589"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/pull/1646",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/1646"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6"
},
{
"name": "https://www.rfc-editor.org/rfc/rfc8252#section-8.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.rfc-editor.org/rfc/rfc8252#section-8.6"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00016.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00010.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34246",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-03T23:12:01.958465Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T23:17:33.503Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "doorkeeper",
"vendor": "doorkeeper-gem",
"versions": [
{
"status": "affected",
"version": "\u003c 5.6.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured. This issue is fixed in version 5.6.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-12T14:06:18.837Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/issues/1589",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/1589"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/pull/1646",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/1646"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6"
},
{
"name": "https://www.rfc-editor.org/rfc/rfc8252#section-8.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.rfc-editor.org/rfc/rfc8252#section-8.6"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00016.html"
}
],
"source": {
"advisory": "GHSA-7w2c-w47h-789w",
"discovery": "UNKNOWN"
},
"title": "Doorkeeper Improper Authentication vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-34246",
"datePublished": "2023-06-12T16:33:05.704Z",
"dateReserved": "2023-05-31T13:51:51.173Z",
"dateUpdated": "2025-02-13T16:55:25.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10187 (GCVE-0-2020-10187)
Vulnerability from nvd – Published: 2020-05-04 13:19 – Updated: 2024-08-04 10:58
VLAI?
Summary
Doorkeeper version 5.0.0 and later contains an information disclosure vulnerability that allows an attacker to retrieve the client secret only intended for the OAuth application owner. After authorizing the application and allowing access, the attacker simply needs to request the list of their authorized applications in a JSON format (usually GET /oauth/authorized_applications.json). An application is vulnerable if the authorized applications controller is enabled.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:58:39.628Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/commit/25d038022c2fcad45af5b73f9d003cf38ff491f6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-j7vx-8mqj-cqp9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rubysec/ruby-advisory-db/pull/446"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Doorkeeper version 5.0.0 and later contains an information disclosure vulnerability that allows an attacker to retrieve the client secret only intended for the OAuth application owner. After authorizing the application and allowing access, the attacker simply needs to request the list of their authorized applications in a JSON format (usually GET /oauth/authorized_applications.json). An application is vulnerable if the authorized applications controller is enabled."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-04T13:19:04",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/commit/25d038022c2fcad45af5b73f9d003cf38ff491f6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-j7vx-8mqj-cqp9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rubysec/ruby-advisory-db/pull/446"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-10187",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Doorkeeper version 5.0.0 and later contains an information disclosure vulnerability that allows an attacker to retrieve the client secret only intended for the OAuth application owner. After authorizing the application and allowing access, the attacker simply needs to request the list of their authorized applications in a JSON format (usually GET /oauth/authorized_applications.json). An application is vulnerable if the authorized applications controller is enabled."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/releases",
"refsource": "MISC",
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/commit/25d038022c2fcad45af5b73f9d003cf38ff491f6",
"refsource": "MISC",
"url": "https://github.com/doorkeeper-gem/doorkeeper/commit/25d038022c2fcad45af5b73f9d003cf38ff491f6"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-j7vx-8mqj-cqp9",
"refsource": "MISC",
"url": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-j7vx-8mqj-cqp9"
},
{
"name": "https://github.com/rubysec/ruby-advisory-db/pull/446",
"refsource": "MISC",
"url": "https://github.com/rubysec/ruby-advisory-db/pull/446"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-10187",
"datePublished": "2020-05-04T13:19:04",
"dateReserved": "2020-03-06T00:00:00",
"dateUpdated": "2024-08-04T10:58:39.628Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1000211 (GCVE-0-2018-1000211)
Vulnerability from nvd – Published: 2018-07-13 18:00 – Updated: 2024-09-17 03:34
VLAI?
Summary
Doorkeeper version 4.2.0 and later contains a Incorrect Access Control vulnerability in Token revocation API's authorized method that can result in Access tokens are not revoked for public OAuth apps, leaking access until expiry.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:40:46.722Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/1119"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/891"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2018-07-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Doorkeeper version 4.2.0 and later contains a Incorrect Access Control vulnerability in Token revocation API\u0027s authorized method that can result in Access tokens are not revoked for public OAuth apps, leaking access until expiry."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-13T18:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/1119"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/891"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2018-07-10T20:50:24.886897",
"DATE_REQUESTED": "2018-07-10T20:32:02",
"ID": "CVE-2018-1000211",
"REQUESTER": "me@justinbull.ca",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Doorkeeper version 4.2.0 and later contains a Incorrect Access Control vulnerability in Token revocation API\u0027s authorized method that can result in Access tokens are not revoked for public OAuth apps, leaking access until expiry."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/pull/1119",
"refsource": "CONFIRM",
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/1119"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/issues/891",
"refsource": "CONFIRM",
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/891"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000211",
"datePublished": "2018-07-13T18:00:00Z",
"dateReserved": "2018-07-13T00:00:00Z",
"dateUpdated": "2024-09-17T03:34:15.741Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1000088 (GCVE-0-2018-1000088)
Vulnerability from nvd – Published: 2018-03-13 15:00 – Updated: 2024-08-05 12:33
VLAI?
Summary
Doorkeeper version 2.1.0 through 4.2.5 contains a Cross Site Scripting (XSS) vulnerability in web view's OAuth app form, user authorization prompt web view that can result in Stored XSS on the OAuth Client's name will cause users interacting with it will execute payload. This attack appear to be exploitable via The victim must be tricked to click an opaque link to the web view that runs the XSS payload. A malicious version virtually indistinguishable from a normal link.. This vulnerability appears to have been fixed in 4.2.6, 4.3.0.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:33:49.282Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rubysec/ruby-advisory-db/pull/328/files"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/969"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v4.3.0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/970"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2018-02-17T00:00:00",
"datePublic": "2018-03-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Doorkeeper version 2.1.0 through 4.2.5 contains a Cross Site Scripting (XSS) vulnerability in web view\u0027s OAuth app form, user authorization prompt web view that can result in Stored XSS on the OAuth Client\u0027s name will cause users interacting with it will execute payload. This attack appear to be exploitable via The victim must be tricked to click an opaque link to the web view that runs the XSS payload. A malicious version virtually indistinguishable from a normal link.. This vulnerability appears to have been fixed in 4.2.6, 4.3.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-13T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rubysec/ruby-advisory-db/pull/328/files"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/969"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v4.3.0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/970"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2/17/2018 11:44:44",
"ID": "CVE-2018-1000088",
"REQUESTER": "me@justinbull.ca",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Doorkeeper version 2.1.0 through 4.2.5 contains a Cross Site Scripting (XSS) vulnerability in web view\u0027s OAuth app form, user authorization prompt web view that can result in Stored XSS on the OAuth Client\u0027s name will cause users interacting with it will execute payload. This attack appear to be exploitable via The victim must be tricked to click an opaque link to the web view that runs the XSS payload. A malicious version virtually indistinguishable from a normal link.. This vulnerability appears to have been fixed in 4.2.6, 4.3.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rubysec/ruby-advisory-db/pull/328/files",
"refsource": "MISC",
"url": "https://github.com/rubysec/ruby-advisory-db/pull/328/files"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/issues/969",
"refsource": "MISC",
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/969"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v4.3.0",
"refsource": "MISC",
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v4.3.0"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/pull/970",
"refsource": "MISC",
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/970"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000088",
"datePublished": "2018-03-13T15:00:00",
"dateReserved": "2018-02-21T00:00:00",
"dateUpdated": "2024-08-05T12:33:49.282Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-6582 (GCVE-0-2016-6582)
Vulnerability from nvd – Published: 2017-01-23 21:00 – Updated: 2024-08-06 01:36
VLAI?
Summary
The Doorkeeper gem before 4.2.0 for Ruby might allow remote attackers to conduct replay attacks or revoke arbitrary tokens by leveraging failure to implement the OAuth 2.0 Token Revocation specification.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T01:36:28.287Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "92551",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/92551"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/138430/Doorkeeper-4.1.0-Token-Revocation.html"
},
{
"name": "20160818 [CVE-2016-6582] Doorkeeper gem does not revoke tokens \u0026 uses wrong auth/auth method",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/539268/100/0/threaded"
},
{
"name": "20160822 [CVE-2016-6582] Doorkeeper gem does not revoke tokens \u0026 uses wrong auth/auth method",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2016/Aug/105"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v4.2.0"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/875"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-08-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Doorkeeper gem before 4.2.0 for Ruby might allow remote attackers to conduct replay attacks or revoke arbitrary tokens by leveraging failure to implement the OAuth 2.0 Token Revocation specification."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "92551",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/92551"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/138430/Doorkeeper-4.1.0-Token-Revocation.html"
},
{
"name": "20160818 [CVE-2016-6582] Doorkeeper gem does not revoke tokens \u0026 uses wrong auth/auth method",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/539268/100/0/threaded"
},
{
"name": "20160822 [CVE-2016-6582] Doorkeeper gem does not revoke tokens \u0026 uses wrong auth/auth method",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2016/Aug/105"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v4.2.0"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/875"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-6582",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Doorkeeper gem before 4.2.0 for Ruby might allow remote attackers to conduct replay attacks or revoke arbitrary tokens by leveraging failure to implement the OAuth 2.0 Token Revocation specification."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "92551",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/92551"
},
{
"name": "http://packetstormsecurity.com/files/138430/Doorkeeper-4.1.0-Token-Revocation.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/138430/Doorkeeper-4.1.0-Token-Revocation.html"
},
{
"name": "20160818 [CVE-2016-6582] Doorkeeper gem does not revoke tokens \u0026 uses wrong auth/auth method",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/539268/100/0/threaded"
},
{
"name": "20160822 [CVE-2016-6582] Doorkeeper gem does not revoke tokens \u0026 uses wrong auth/auth method",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2016/Aug/105"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v4.2.0",
"refsource": "CONFIRM",
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v4.2.0"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/issues/875",
"refsource": "CONFIRM",
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/875"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-6582",
"datePublished": "2017-01-23T21:00:00",
"dateReserved": "2016-08-03T00:00:00",
"dateUpdated": "2024-08-06T01:36:28.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-8144 (GCVE-0-2014-8144)
Vulnerability from nvd – Published: 2014-12-31 22:00 – Updated: 2024-08-06 13:10
VLAI?
Summary
Cross-site request forgery (CSRF) vulnerability in doorkeeper before 1.4.1 allows remote attackers to hijack the authentication of unspecified victims for requests that read a user OAuth authorization code via unknown vectors.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:10:50.952Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/blob/master/CHANGELOG.md"
},
{
"name": "doorkeeper-cve20148144-csrf(99342)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99342"
},
{
"name": "[oss-security] 20141217 [CVE-2014-8144] CSRF vulnerability in doorkeeper",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2014/q4/1076"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-12-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in doorkeeper before 1.4.1 allows remote attackers to hijack the authentication of unspecified victims for requests that read a user OAuth authorization code via unknown vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-07T15:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/blob/master/CHANGELOG.md"
},
{
"name": "doorkeeper-cve20148144-csrf(99342)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99342"
},
{
"name": "[oss-security] 20141217 [CVE-2014-8144] CSRF vulnerability in doorkeeper",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2014/q4/1076"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-8144",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in doorkeeper before 1.4.1 allows remote attackers to hijack the authentication of unspecified victims for requests that read a user OAuth authorization code via unknown vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/blob/master/CHANGELOG.md",
"refsource": "CONFIRM",
"url": "https://github.com/doorkeeper-gem/doorkeeper/blob/master/CHANGELOG.md"
},
{
"name": "doorkeeper-cve20148144-csrf(99342)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99342"
},
{
"name": "[oss-security] 20141217 [CVE-2014-8144] CSRF vulnerability in doorkeeper",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2014/q4/1076"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2014-8144",
"datePublished": "2014-12-31T22:00:00",
"dateReserved": "2014-10-10T00:00:00",
"dateUpdated": "2024-08-06T13:10:50.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}