30 matches found
GHSA-M6VC-F87M-CC2H Doorkeeper Openid Connect: Dynamic Client Registration feature creates public clients with client_secret
Impact The DynamicClientRegistrationControllerregister action hard-codes confidential: false when creating applications dynamicclientregistrationcontroller.rb:18-25, yet the response includes a clientsecret and advertises tokenendpointauthmethodssupported: "clientsecretbasic", "clientsecretpost"...
Doorkeeper Openid Connect: Dynamic Client Registration feature creates public clients with client_secret
Impact The DynamicClientRegistrationControllerregister action hard-codes confidential: false when creating applications dynamicclientregistrationcontroller.rb:18-25, yet the response includes a clientsecret and advertises tokenendpointauthmethodssupported: "clientsecretbasic", "clientsecretpost"...
EUVD-2023-1739
Malicious code in bioql PyPI...
CVE-2023-34246
Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot...
PKCE Downgrade Attack
spring-security-oauth2-authorization-server is vulnerable to PKCE Downgrade. The vulnerability is due to improper handling of PKCE authorization when a Confidential Client requests an Authorization Code Grant. Note that this vulnerability only applies to Confidential Clients, Public Clients are...
CVE-2024-22258
Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An...
Debian dla-3494 : ruby-doorkeeper - security update
The remote Debian 10 host has a package installed that is affected by a vulnerability as referenced in the dla-3494 advisory. - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3494-1 [email protected] https://www.debian.org/lts/security/...
Ubuntu 16.04 ESM / 18.04 ESM / 20.04 LTS / 22.04 LTS / 23.04 : Doorkeeper vulnerability (USN-6210-1)
The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 LTS / 22.04 LTS / 23.04 host has a package installed that is affected by a vulnerability as referenced in the USN-6210-1 advisory. It was discovered that Doorkeeper incorrectly performed authorization checks for public clients that have been previou...
USN-6210-1: Doorkeeper vulnerability
It was discovered that Doorkeeper incorrectly performed authorization checks for public clients that have been previous approved. An attacker could potentially exploit these in order to impersonate another user and obtain sensitive information...
USN-6210-1 ruby-doorkeeper vulnerability
It was discovered that Doorkeeper incorrectly performed authorization checks for public clients that have been previous approved. An attacker could potentially exploit these in order to impersonate another user and obtain sensitive information...
Improper Authentication
Overview doorkeeper is an OAuth 2 provider for Rails and Grape. Affected versions of this package are vulnerable to Improper Authentication due to automatically processing authorization requests without user consent for public clients that have been previously approved. Public clients are...
GHSA-7W2C-W47H-789W Doorkeeper Improper Authentication vulnerability
OAuth RFC 8252 says https://www.rfc-editor.org/rfc/rfc8252section-8.6 the authorization server SHOULD NOT process authorization requests automatically without user consent or interaction, except when the identity of the client can be assured. This includes the case where the user has previously...
Doorkeeper Improper Authentication vulnerability
OAuth RFC 8252 says https://www.rfc-editor.org/rfc/rfc8252section-8.6 the authorization server SHOULD NOT process authorization requests automatically without user consent or interaction, except when the identity of the client can be assured. This includes the case where the user has previously...
CVE-2023-34246
Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot...
DEBIAN-CVE-2023-34246
Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot...
Authorization
Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot...
UBUNTU-CVE-2023-34246
Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot...
CVE-2023-34246
Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot...
CVE-2023-34246 Doorkeeper Improper Authentication vulnerability
Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot...
CVE-2023-34246
Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot...