Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2014-8144
Vulnerability from gsd - Updated: 2014-12-18 00:00Details
Cross-site request forgery (CSRF) vulnerability in doorkeeper 1.4.0
and earlier allows remote attackers to hijack the user's OAuth
autorization code. This vulnerability has been assigned the CVE
identifier CVE-2014-8144.
Doorkeeper's endpoints didn't have CSRF protection. Any HTML document
on the Internet can then read a user's authorization code with
arbitrary scope from any Doorkeeper-compatible Rails app you are
logged in.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2014-8144",
"description": "Cross-site request forgery (CSRF) vulnerability in doorkeeper before 1.4.1 allows remote attackers to hijack the authentication of unspecified victims for requests that read a user OAuth authorization code via unknown vectors.",
"id": "GSD-2014-8144"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "doorkeeper",
"purl": "pkg:gem/doorkeeper"
}
}
],
"aliases": [
"CVE-2014-8144",
"OSVDB-116010"
],
"details": "Cross-site request forgery (CSRF) vulnerability in doorkeeper 1.4.0\nand earlier allows remote attackers to hijack the user\u0027s OAuth\nautorization code. This vulnerability has been assigned the CVE\nidentifier CVE-2014-8144.\n\nDoorkeeper\u0027s endpoints didn\u0027t have CSRF protection. Any HTML document\non the Internet can then read a user\u0027s authorization code with\narbitrary scope from any Doorkeeper-compatible Rails app you are\nlogged in.\n",
"id": "GSD-2014-8144",
"modified": "2014-12-18T00:00:00.000Z",
"published": "2014-12-18T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/ruby-security-ann/5_VqJtNc8jw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 6.8,
"type": "CVSS_V2"
}
],
"summary": "Cross-site request forgery (CSRF) vulnerability in doorkeeper 1.4.0\nand earlier.\n"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-8144",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in doorkeeper before 1.4.1 allows remote attackers to hijack the authentication of unspecified victims for requests that read a user OAuth authorization code via unknown vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/blob/master/CHANGELOG.md",
"refsource": "CONFIRM",
"url": "https://github.com/doorkeeper-gem/doorkeeper/blob/master/CHANGELOG.md"
},
{
"name": "doorkeeper-cve20148144-csrf(99342)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99342"
},
{
"name": "[oss-security] 20141217 [CVE-2014-8144] CSRF vulnerability in doorkeeper",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2014/q4/1076"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2014-8144",
"cvss_v2": 6.8,
"date": "2014-12-18",
"description": "Cross-site request forgery (CSRF) vulnerability in doorkeeper 1.4.0\nand earlier allows remote attackers to hijack the user\u0027s OAuth\nautorization code. This vulnerability has been assigned the CVE\nidentifier CVE-2014-8144.\n\nDoorkeeper\u0027s endpoints didn\u0027t have CSRF protection. Any HTML document\non the Internet can then read a user\u0027s authorization code with\narbitrary scope from any Doorkeeper-compatible Rails app you are\nlogged in.\n",
"gem": "doorkeeper",
"osvdb": 116010,
"patched_versions": [
"~\u003e 1.4.1",
"\u003e= 2.0.0"
],
"title": "Cross-site request forgery (CSRF) vulnerability in doorkeeper 1.4.0\nand earlier.\n",
"url": "https://groups.google.com/forum/#!topic/ruby-security-ann/5_VqJtNc8jw"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c=1.4.0",
"affected_versions": "All versions up to 1.4.0",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-352",
"CWE-937"
],
"date": "2017-09-08",
"description": "Cross-site request forgery (CSRF) vulnerability in doorkeeper allows remote attackers to hijack the authentication of unspecified victims for requests that read a user OAuth authorization code via unknown vectors.",
"fixed_versions": [
"1.4.1"
],
"identifier": "CVE-2014-8144",
"identifiers": [
"CVE-2014-8144"
],
"not_impacted": "All versions after 1.4.0",
"package_slug": "gem/doorkeeper",
"pubdate": "2014-12-31",
"solution": "Upgrade to version 1.4.1 or above.",
"title": "Cross-Site Request Forgery (CSRF)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2014-8144",
"https://github.com/doorkeeper-gem/doorkeeper/blob/master/CHANGELOG.md",
"http://seclists.org/oss-sec/2014/q4/1076",
"https://exchange.xforce.ibmcloud.com/vulnerabilities/99342"
],
"uuid": "7b1e4284-af74-478c-a482-916336662ddd"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:doorkeeper_project:doorkeeper:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndIncluding": "1.4.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-8144"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in doorkeeper before 1.4.1 allows remote attackers to hijack the authentication of unspecified victims for requests that read a user OAuth authorization code via unknown vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/blob/master/CHANGELOG.md",
"refsource": "CONFIRM",
"tags": [],
"url": "https://github.com/doorkeeper-gem/doorkeeper/blob/master/CHANGELOG.md"
},
{
"name": "[oss-security] 20141217 [CVE-2014-8144] CSRF vulnerability in doorkeeper",
"refsource": "MLIST",
"tags": [],
"url": "http://seclists.org/oss-sec/2014/q4/1076"
},
{
"name": "doorkeeper-cve20148144-csrf(99342)",
"refsource": "XF",
"tags": [],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99342"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
}
},
"lastModifiedDate": "2017-09-08T01:29Z",
"publishedDate": "2014-12-31T22:59Z"
}
}
}