GSD-2018-1000088
Vulnerability from gsd - Updated: 2018-02-21 00:00Details
Stored XSS on the OAuth Client's name will cause users being prompted for
consent via the "implicit" grant type to execute the XSS payload.
The XSS attack could gain access to the user's active session, resulting in
account compromise.
Any user is susceptible if they click the authorization link for the
malicious OAuth client. Because of how the links work, a user cannot tell if
a link is malicious or not without first visiting the page with the XSS
payload.
If 3rd parties are allowed to create OAuth clients in the app using
Doorkeeper, upgrade to the patched versions immediately.
Additionally there is stored XSS in the native_redirect_uri form element.
DWF has assigned CVE-2018-1000088.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2018-1000088",
"description": "Doorkeeper version 2.1.0 through 4.2.5 contains a Cross Site Scripting (XSS) vulnerability in web view\u0027s OAuth app form, user authorization prompt web view that can result in Stored XSS on the OAuth Client\u0027s name will cause users interacting with it will execute payload. This attack appear to be exploitable via The victim must be tricked to click an opaque link to the web view that runs the XSS payload. A malicious version virtually indistinguishable from a normal link.. This vulnerability appears to have been fixed in 4.2.6, 4.3.0.",
"id": "GSD-2018-1000088"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "doorkeeper",
"purl": "pkg:gem/doorkeeper"
}
}
],
"aliases": [
"CVE-2018-1000088",
"GHSA-hwhh-2fwm-cfgw"
],
"details": "Stored XSS on the OAuth Client\u0027s name will cause users being prompted for\nconsent via the \"implicit\" grant type to execute the XSS payload.\n\nThe XSS attack could gain access to the user\u0027s active session, resulting in\naccount compromise.\n\nAny user is susceptible if they click the authorization link for the\nmalicious OAuth client. Because of how the links work, a user cannot tell if\na link is malicious or not without first visiting the page with the XSS\npayload.\n\nIf 3rd parties are allowed to create OAuth clients in the app using\nDoorkeeper, upgrade to the patched versions immediately.\n\nAdditionally there is stored XSS in the native_redirect_uri form element.\n\nDWF has assigned CVE-2018-1000088.\n",
"id": "GSD-2018-1000088",
"modified": "2018-02-21T00:00:00.000Z",
"published": "2018-02-21T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://blog.justinbull.ca/cve-2018-1000088-stored-xss-in-doorkeeper/"
},
{
"type": "WEB",
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/969"
},
{
"type": "WEB",
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/970"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 7.6,
"type": "CVSS_V3"
}
],
"summary": "Doorkeeper gem has stored XSS on authorization consent view"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2/17/2018 11:44:44",
"ID": "CVE-2018-1000088",
"REQUESTER": "me@justinbull.ca",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Doorkeeper version 2.1.0 through 4.2.5 contains a Cross Site Scripting (XSS) vulnerability in web view\u0027s OAuth app form, user authorization prompt web view that can result in Stored XSS on the OAuth Client\u0027s name will cause users interacting with it will execute payload. This attack appear to be exploitable via The victim must be tricked to click an opaque link to the web view that runs the XSS payload. A malicious version virtually indistinguishable from a normal link.. This vulnerability appears to have been fixed in 4.2.6, 4.3.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rubysec/ruby-advisory-db/pull/328/files",
"refsource": "MISC",
"url": "https://github.com/rubysec/ruby-advisory-db/pull/328/files"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/issues/969",
"refsource": "MISC",
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/969"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v4.3.0",
"refsource": "MISC",
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v4.3.0"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/pull/970",
"refsource": "MISC",
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/970"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2018-1000088",
"cvss_v3": 7.6,
"date": "2018-02-21",
"description": "Stored XSS on the OAuth Client\u0027s name will cause users being prompted for\nconsent via the \"implicit\" grant type to execute the XSS payload.\n\nThe XSS attack could gain access to the user\u0027s active session, resulting in\naccount compromise.\n\nAny user is susceptible if they click the authorization link for the\nmalicious OAuth client. Because of how the links work, a user cannot tell if\na link is malicious or not without first visiting the page with the XSS\npayload.\n\nIf 3rd parties are allowed to create OAuth clients in the app using\nDoorkeeper, upgrade to the patched versions immediately.\n\nAdditionally there is stored XSS in the native_redirect_uri form element.\n\nDWF has assigned CVE-2018-1000088.\n",
"gem": "doorkeeper",
"ghsa": "hwhh-2fwm-cfgw",
"patched_versions": [
"\u003e= 4.2.6"
],
"related": {
"url": [
"https://github.com/doorkeeper-gem/doorkeeper/issues/969",
"https://github.com/doorkeeper-gem/doorkeeper/issues/970"
]
},
"title": "Doorkeeper gem has stored XSS on authorization consent view",
"unaffected_versions": [
"\u003c 2.1.0"
],
"url": "https://blog.justinbull.ca/cve-2018-1000088-stored-xss-in-doorkeeper/"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=2.1.0 \u003c4.2.6",
"affected_versions": "All versions starting from 2.1.0 before 4.2.6",
"credit": "Gauthier Monserand",
"cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-79",
"CWE-937"
],
"date": "2018-04-11",
"description": "Stored XSS on the OAuth Client\u0027s name will cause users being prompted for consent via the `implicit` grant type to execute the XSS payload. The XSS attack could gain access to the user\u0027s active session, resulting in account compromise. Any user is susceptible if they click the authorization link for the malicious OAuth client. Because of how the links work, a user cannot tell if a link is malicious or not without first visiting the page with the XSS payload. In addition, there is stored XSS in the `native_redirect_uri` form element.",
"fixed_versions": [
"4.2.6"
],
"identifier": "CVE-2018-1000088",
"identifiers": [
"CVE-2018-1000088"
],
"not_impacted": "All versions before 2.1.0, all versions starting from 4.2.6",
"package_slug": "gem/doorkeeper",
"pubdate": "2018-03-13",
"solution": "Upgrade to version 4.2.6 or above.",
"title": "XSS on authorization consent view",
"urls": [
"https://blog.justinbull.ca/cve-2018-1000088-stored-xss-in-doorkeeper/",
"https://github.com/doorkeeper-gem/doorkeeper/issues/969",
"https://github.com/doorkeeper-gem/doorkeeper/pull/970"
],
"uuid": "6d348d35-9191-4320-93d5-d12b7a928631"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:doorkeeper_project:doorkeeper:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndIncluding": "4.2.5",
"versionStartIncluding": "2.1.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-1000088"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Doorkeeper version 2.1.0 through 4.2.5 contains a Cross Site Scripting (XSS) vulnerability in web view\u0027s OAuth app form, user authorization prompt web view that can result in Stored XSS on the OAuth Client\u0027s name will cause users interacting with it will execute payload. This attack appear to be exploitable via The victim must be tricked to click an opaque link to the web view that runs the XSS payload. A malicious version virtually indistinguishable from a normal link.. This vulnerability appears to have been fixed in 4.2.6, 4.3.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rubysec/ruby-advisory-db/pull/328/files",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/rubysec/ruby-advisory-db/pull/328/files"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v4.3.0",
"refsource": "MISC",
"tags": [
"Release Notes"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v4.3.0"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/pull/970",
"refsource": "MISC",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/970"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/issues/969",
"refsource": "MISC",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/969"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7
}
},
"lastModifiedDate": "2018-04-11T13:48Z",
"publishedDate": "2018-03-13T15:29Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…