[DRE-maint] Bug#1038950: ruby-doorkeeper: CVE-2023-34246
Moritz Mühlenhoff
jmm at inutil.org
Fri Jun 23 16:09:02 BST 2023
Source: ruby-doorkeeper
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for ruby-doorkeeper.
CVE-2023-34246[0]:
| Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior
| to version 5.6.6, Doorkeeper automatically processes authorization
| requests without user consent for public clients that have been
| previous approved. Public clients are inherently vulnerable to
| impersonation, their identity cannot be assured. This issue is fixed
| in version 5.6.6.
https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w
https://github.com/doorkeeper-gem/doorkeeper/issues/1589
https://github.com/doorkeeper-gem/doorkeeper/pull/1646
Fixed by: https://github.com/doorkeeper-gem/doorkeeper/commit/f202079baac4c978a01ccc9a45d78fde368ac907 (v5.6.6)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-34246
https://www.cve.org/CVERecord?id=CVE-2023-34246
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-ruby-extras-maintainers
mailing list