Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
1 vulnerability by doorkeeper-gem
CVE-2023-34246 (GCVE-0-2023-34246)
Vulnerability from cvelistv5 – Published: 2023-06-12 16:33 – Updated: 2025-02-13 16:55
VLAI?
Title
Doorkeeper Improper Authentication vulnerability
Summary
Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured. This issue is fixed in version 5.6.6.
Severity ?
4.2 (Medium)
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| doorkeeper-gem | doorkeeper |
Affected:
< 5.6.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-12-09T05:03:22.873Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/issues/1589",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/1589"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/pull/1646",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/1646"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6"
},
{
"name": "https://www.rfc-editor.org/rfc/rfc8252#section-8.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.rfc-editor.org/rfc/rfc8252#section-8.6"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00016.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00010.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34246",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-03T23:12:01.958465Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T23:17:33.503Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "doorkeeper",
"vendor": "doorkeeper-gem",
"versions": [
{
"status": "affected",
"version": "\u003c 5.6.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured. This issue is fixed in version 5.6.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-12T14:06:18.837Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/issues/1589",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/1589"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/pull/1646",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/1646"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6"
},
{
"name": "https://www.rfc-editor.org/rfc/rfc8252#section-8.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.rfc-editor.org/rfc/rfc8252#section-8.6"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00016.html"
}
],
"source": {
"advisory": "GHSA-7w2c-w47h-789w",
"discovery": "UNKNOWN"
},
"title": "Doorkeeper Improper Authentication vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-34246",
"datePublished": "2023-06-12T16:33:05.704Z",
"dateReserved": "2023-05-31T13:51:51.173Z",
"dateUpdated": "2025-02-13T16:55:25.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}