CVE-2023-34246: Doorkeeper Improper Authentication vulnerability

4.2 CVSS

Description

Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured. This issue is fixed in version 5.6.6.

Classification

CVE ID: CVE-2023-34246

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.2

Affected Products

Vendor: doorkeeper-gem

Product: doorkeeper

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.12% (probability of being exploited)

EPSS Percentile: 47.62% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w
https://github.com/doorkeeper-gem/doorkeeper/issues/1589
https://github.com/doorkeeper-gem/doorkeeper/pull/1646
https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6
https://www.rfc-editor.org/rfc/rfc8252#section-8.6
https://lists.debian.org/debian-lts-announce/2023/07/msg00016.html

Timeline

2024-12-10 00:31:00 UTC
CVE

Doorkeeper Improper Authentication vulnerability