CVE-2023-34246
Published: 12 June 2023
Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured. This issue is fixed in version 5.6.6.
Notes
Author | Note |
---|---|
sbeattie | need to verify ruby-doorkeeper-openid-connect as well |
Priority
Status
Package | Release | Status |
---|---|---|
ruby-doorkeeper Launchpad, Ubuntu, Debian |
bionic |
Released
(4.3.1-1ubuntu0.1~esm1)
Available with Ubuntu Pro |
focal |
Released
(5.0.2-2ubuntu0.1)
|
|
jammy |
Released
(5.5.0-2ubuntu0.22.04.1)
|
|
kinetic |
Released
(5.5.0-2ubuntu0.22.10.1)
|
|
lunar |
Released
(5.5.0-2ubuntu0.23.04.1)
|
|
mantic |
Needs triage
|
|
noble |
Needs triage
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.6.6)
|
|
xenial |
Released
(2.2.1-1ubuntu0.1~esm1)
Available with Ubuntu Pro |
|
Patches: upstream: https://github.com/doorkeeper-gem/doorkeeper/pull/1646/commits/f202079baac4c978a01ccc9a45d78fde368ac907 |
||
ruby-doorkeeper-openid-connect Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
focal |
Not vulnerable
(code not present)
|
|
jammy |
Not vulnerable
(code not present)
|
|
kinetic |
Not vulnerable
(code not present)
|
|
lunar |
Not vulnerable
(code not present)
|
|
mantic |
Needs triage
|
|
noble |
Needs triage
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 6.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | Low |
Integrity impact | Low |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
References
- https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w
- https://github.com/doorkeeper-gem/doorkeeper/issues/1589
- https://github.com/doorkeeper-gem/doorkeeper/pull/1646
- https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6
- https://www.rfc-editor.org/rfc/rfc8252#section-8.6
- https://ubuntu.com/security/notices/USN-6210-1
- https://www.cve.org/CVERecord?id=CVE-2023-34246
- NVD
- Launchpad
- Debian