CVE-2023-34246

2023-06-1217:15:09

Debian Security Bug Tracker

security-tracker.debian.org

doorkeeper

oauth 2

ruby on rails

grape

public clients

impersonation

authorization requests

user consent

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS

0.002

Percentile

55.9%

JSON

Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured. This issue is fixed in version 5.6.6.

OSVersionArchitecturePackageVersionFilename
Debian12allruby-doorkeeper<= 5.5.0-2ruby-doorkeeper_5.5.0-2_all.deb
Debian11allruby-doorkeeper<= 5.3.0-2ruby-doorkeeper_5.3.0-2_all.deb
Debian999allruby-doorkeeper< 5.6.6-2ruby-doorkeeper_5.6.6-2_all.deb
Debian13allruby-doorkeeper< 5.6.6-2ruby-doorkeeper_5.6.6-2_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	ruby-doorkeeper	<= 5.5.0-2	ruby-doorkeeper_5.5.0-2_all.deb
Debian	11	all	ruby-doorkeeper	<= 5.3.0-2	ruby-doorkeeper_5.3.0-2_all.deb
Debian	999	all	ruby-doorkeeper	< 5.6.6-2	ruby-doorkeeper_5.6.6-2_all.deb
Debian	13	all	ruby-doorkeeper	< 5.6.6-2	ruby-doorkeeper_5.6.6-2_all.deb