CVE-2023-34246
MEDIUM4.2EPSS 0.31%ruby-doorkeeper - security update
發布日:2023/6/12修改日:2026/4/28
描述
Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured. This issue is fixed in version 5.6.6.
受影響套件(4)
- Debian/ruby-doorkeeperfrom 0, < 5.3.0-2+deb11u1
- Debian/ruby-doorkeeperfrom 0, < 4.4.2-1+deb10u1
- Debian/ruby-doorkeeperfrom 0, < 5.3.0-2+deb11u1
- RubyGems/doorkeeperfrom 0, < 5.6.6
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.2 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N |
參考連結(11)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-34246
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2023-34246
- PATCHhttps://github.com/doorkeeper-gem/doorkeeper
- WEBhttps://github.com/doorkeeper-gem/doorkeeper/issues/1589
- WEBhttps://github.com/doorkeeper-gem/doorkeeper/pull/1646
- WEBhttps://github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6
- WEBhttps://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w
- WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/doorkeeper/CVE-2023-34246.yml
- WEBhttps://lists.debian.org/debian-lts-announce/2023/07/msg00016.html
- WEBhttps://lists.debian.org/debian-lts-announce/2024/12/msg00010.html
- WEBhttps://www.rfc-editor.org/rfc/rfc8252#section-8.6