Search CVE reports
1 – 6 of 6 results
Some fixes available 6 of 8
Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public...
2 affected packages
ruby-doorkeeper, ruby-doorkeeper-openid-connect
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
---|---|---|---|---|
ruby-doorkeeper | Not affected | Fixed | Fixed | Fixed |
ruby-doorkeeper-openid-connect | Not affected | Not affected | Not affected | Not affected |
Doorkeeper version 5.0.0 and later contains an information disclosure vulnerability that allows an attacker to retrieve the client secret only intended for the OAuth application owner. After authorizing the application and...
1 affected package
ruby-doorkeeper
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
---|---|---|---|---|
ruby-doorkeeper | Not affected | Not affected | Not affected | Not affected |
Doorkeeper::OpenidConnect (aka the OpenID Connect extension for Doorkeeper) 1.4.x and 1.5.x before 1.5.4 has an open redirect via the redirect_uri field in an OAuth authorization request (that results in an error response) with...
1 affected package
ruby-doorkeeper-openid-connect
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
---|---|---|---|---|
ruby-doorkeeper-openid-connect | — | — | — | Not affected |
Doorkeeper version 4.2.0 and later contains a Incorrect Access Control vulnerability in Token revocation API's authorized method that can result in Access tokens are not revoked for public OAuth apps, leaking access until expiry.
1 affected package
ruby-doorkeeper
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
---|---|---|---|---|
ruby-doorkeeper | Not affected | Not affected | Not affected | Ignored |
Some fixes available 1 of 3
Doorkeeper version 2.1.0 through 4.2.5 contains a Cross Site Scripting (XSS) vulnerability in web view's OAuth app form, user authorization prompt web view that can result in Stored XSS on the OAuth Client's name will cause users...
1 affected package
ruby-doorkeeper
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
---|---|---|---|---|
ruby-doorkeeper | Not affected | Not affected | Not affected | Not affected |
The Doorkeeper gem before 4.2.0 for Ruby might allow remote attackers to conduct replay attacks or revoke arbitrary tokens by leveraging failure to implement the OAuth 2.0 Token Revocation specification.
1 affected package
ruby-doorkeeper
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
---|---|---|---|---|
ruby-doorkeeper | Not affected | Not affected | Not affected | Not affected |