| Name | CVE-2023-34246 |
| Description | Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured. This issue is fixed in version 5.6.6. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-3494-1, DLA-3989-1 |
| Debian Bugs | 1038950 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| ruby-doorkeeper (PTS) | bullseye | 5.3.0-2 | vulnerable |
| bullseye (security) | 5.3.0-2+deb11u1 | fixed | |
| bookworm | 5.5.0-2 | vulnerable | |
| sid, trixie | 5.6.6-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| ruby-doorkeeper | source | experimental | 5.6.6-1 | |||
| ruby-doorkeeper | source | buster | 4.4.2-1+deb10u1 | DLA-3494-1 | ||
| ruby-doorkeeper | source | bullseye | 5.3.0-2+deb11u1 | DLA-3989-1 | ||
| ruby-doorkeeper | source | (unstable) | 5.6.6-2 | 1038950 |
[bookworm] - ruby-doorkeeper <no-dsa> (Minor issue)
https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w
https://github.com/doorkeeper-gem/doorkeeper/issues/1589
https://github.com/doorkeeper-gem/doorkeeper/pull/1646
Fixed by: https://github.com/doorkeeper-gem/doorkeeper/commit/f202079baac4c978a01ccc9a45d78fde368ac907 (v5.6.6)