Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured. This issue is fixed in version 5.6.6.
References
Link | Resource |
---|---|
https://github.com/doorkeeper-gem/doorkeeper/issues/1589 | Exploit Issue Tracking |
https://github.com/doorkeeper-gem/doorkeeper/pull/1646 | Patch |
https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6 | Release Notes |
https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w | Vendor Advisory |
https://lists.debian.org/debian-lts-announce/2023/07/msg00016.html | |
https://www.rfc-editor.org/rfc/rfc8252#section-8.6 | Technical Description |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-06-12T16:33:05.704Z
Updated: 2023-06-12T16:33:05.704Z
Reserved: 2023-05-31T13:51:51.173Z
Link: CVE-2023-34246
JSON object: View
NVD Information
Status : Modified
Published: 2023-06-12T17:15:09.967
Modified: 2023-07-12T15:15:08.847
Link: CVE-2023-34246
JSON object: View
Redhat Information
No data.
CWE