GHSA-M6VC-F87M-CC2H Doorkeeper Openid Connect: Dynamic Client Registration feature creates public clients with client_secret

Impact The DynamicClientRegistrationControllerregister action hard-codes confidential: false when creating applications dynamicclientregistrationcontroller.rb:18-25, yet the response includes a clientsecret and advertises tokenendpointauthmethodssupported: "clientsecretbasic", "clientsecretpost"...

User Impersonation

Overview doorkeeper-openidconnect is an OpenID Connect extension for Doorkeeper. Affected versions of this package are vulnerable to User Impersonation via the Dynamic Client Registration feature that treats clientsecretbasic and clientsecretpost parameters as confidential: false which allows...

PT-2026-46299

Impact The DynamicClientRegistrationControllerregister action hard-codes confidential: false when creating applications dynamic client registration controller.rb:18-25, yet the response includes a client secret and advertises token endpoint auth methods supported: "client secret basic", "client...

Dynamic Client Registration feature creates public clients with client_secret

Impact The DynamicClientRegistrationControllerregister action hard-codes confidential: false when creating applications dynamicclientregistrationcontroller.rb:18-25, yet the response includes a clientsecret and advertises tokenendpointauthmethodssupported: "clientsecretbasic", "clientsecretpost"...

CVE-2020-10187

Doorkeeper version 5.0.0 and later contains an information disclosure vulnerability that allows an attacker to retrieve the client secret only intended for the OAuth application owner. After authorizing the application and allowing access, the attacker simply needs to request the list of their...

EUVD-2019-0393

Malware in sbrugna...

EUVD-2018-0373

Malware in sbrugna...

EUVD-2017-0157

Malware in sbrugna...

EUVD-2020-0426

Malware in sbrugna...

EUVD-2018-0441

Malware in sbrugna...

Linux Distros Unpatched Vulnerability : CVE-2018-1000211

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Doorkeeper version 4.2.0 and later contains a Incorrect Access Control vulnerability in Token revocation API's authorized method that can result in Access token...

CVE-2023-34246

Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot...

CVE-2018-1000211

Doorkeeper version 4.2.0 and later contains a Incorrect Access Control vulnerability in Token revocation API's authorized method that can result in Access tokens are not revoked for public OAuth apps, leaking access until expiry...

USN-7394-1: Doorkeeper vulnerabilities

Jonathan Clem and Justin Bull discovered that Doorkeeper could allow arbitrary token revocation and replay attacks. An attacker could possibly use this issue to gain unauthorized access to a system. CVE-2016-6582 It was discovered that Doorkeeper incorrectly handled storing client names. An...

Ubuntu: Security Advisory (USN-7394-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Ubuntu 16.04 LTS : Doorkeeper vulnerabilities (USN-7394-1)

The remote Ubuntu 16.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-7394-1 advisory. Jonathan Clem and Justin Bull discovered that Doorkeeper could allow arbitrary token revocation and replay attacks. An attacker could possibly use this...

[SECURITY] [DLA 3989-1] ruby-doorkeeper security update

------------------------------------------------------------------------- Debian LTS Advisory DLA-3989-1 [email protected] https://www.debian.org/lts/security/ Adrian Bunk December 09, 2024 https://wiki.debian.org/LTS -...

Debian: Security Advisory (DLA-3989-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Debian dla-3989 : ruby-doorkeeper - security update

The remote Debian 11 host has a package installed that is affected by a vulnerability as referenced in the dla-3989 advisory. - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3989-1 [email protected] https://www.debian.org/lts/security/...

DLA-3989-1 ruby-doorkeeper - security update

Bulletin has no description...