Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities by doorkeeper-gem
CVE-2023-34246 (GCVE-0-2023-34246)
Vulnerability from nvd – Published: 2023-06-12 16:33 – Updated: 2025-02-13 16:55
VLAI
Title
Doorkeeper Improper Authentication vulnerability
Summary
Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured. This issue is fixed in version 5.6.6.
Severity
4.2 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://github.com/doorkeeper-gem/doorkeeper/secu… | x_refsource_CONFIRM |
| https://github.com/doorkeeper-gem/doorkeeper/issu… | x_refsource_MISC |
| https://github.com/doorkeeper-gem/doorkeeper/pull/1646 | x_refsource_MISC |
| https://github.com/doorkeeper-gem/doorkeeper/rele… | x_refsource_MISC |
| https://www.rfc-editor.org/rfc/rfc8252#section-8.6 | x_refsource_MISC |
| https://lists.debian.org/debian-lts-announce/2023… | |
| https://lists.debian.org/debian-lts-announce/2024… |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| doorkeeper-gem | doorkeeper |
Affected:
< 5.6.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-12-09T05:03:22.873Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/issues/1589",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/1589"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/pull/1646",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/1646"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6"
},
{
"name": "https://www.rfc-editor.org/rfc/rfc8252#section-8.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.rfc-editor.org/rfc/rfc8252#section-8.6"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00016.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00010.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34246",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-03T23:12:01.958465Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T23:17:33.503Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "doorkeeper",
"vendor": "doorkeeper-gem",
"versions": [
{
"status": "affected",
"version": "\u003c 5.6.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured. This issue is fixed in version 5.6.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-12T14:06:18.837Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/issues/1589",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/1589"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/pull/1646",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/1646"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6"
},
{
"name": "https://www.rfc-editor.org/rfc/rfc8252#section-8.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.rfc-editor.org/rfc/rfc8252#section-8.6"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00016.html"
}
],
"source": {
"advisory": "GHSA-7w2c-w47h-789w",
"discovery": "UNKNOWN"
},
"title": "Doorkeeper Improper Authentication vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-34246",
"datePublished": "2023-06-12T16:33:05.704Z",
"dateReserved": "2023-05-31T13:51:51.173Z",
"dateUpdated": "2025-02-13T16:55:25.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-34246 (GCVE-0-2023-34246)
Vulnerability from cvelistv5 – Published: 2023-06-12 16:33 – Updated: 2025-02-13 16:55
VLAI
Title
Doorkeeper Improper Authentication vulnerability
Summary
Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured. This issue is fixed in version 5.6.6.
Severity
4.2 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://github.com/doorkeeper-gem/doorkeeper/secu… | x_refsource_CONFIRM |
| https://github.com/doorkeeper-gem/doorkeeper/issu… | x_refsource_MISC |
| https://github.com/doorkeeper-gem/doorkeeper/pull/1646 | x_refsource_MISC |
| https://github.com/doorkeeper-gem/doorkeeper/rele… | x_refsource_MISC |
| https://www.rfc-editor.org/rfc/rfc8252#section-8.6 | x_refsource_MISC |
| https://lists.debian.org/debian-lts-announce/2023… | |
| https://lists.debian.org/debian-lts-announce/2024… |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| doorkeeper-gem | doorkeeper |
Affected:
< 5.6.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-12-09T05:03:22.873Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/issues/1589",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/1589"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/pull/1646",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/1646"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6"
},
{
"name": "https://www.rfc-editor.org/rfc/rfc8252#section-8.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.rfc-editor.org/rfc/rfc8252#section-8.6"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00016.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00010.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34246",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-03T23:12:01.958465Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T23:17:33.503Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "doorkeeper",
"vendor": "doorkeeper-gem",
"versions": [
{
"status": "affected",
"version": "\u003c 5.6.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured. This issue is fixed in version 5.6.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-12T14:06:18.837Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/issues/1589",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/1589"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/pull/1646",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/1646"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6"
},
{
"name": "https://www.rfc-editor.org/rfc/rfc8252#section-8.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.rfc-editor.org/rfc/rfc8252#section-8.6"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00016.html"
}
],
"source": {
"advisory": "GHSA-7w2c-w47h-789w",
"discovery": "UNKNOWN"
},
"title": "Doorkeeper Improper Authentication vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-34246",
"datePublished": "2023-06-12T16:33:05.704Z",
"dateReserved": "2023-05-31T13:51:51.173Z",
"dateUpdated": "2025-02-13T16:55:25.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}