Source: ruby-doorkeeper X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for ruby-doorkeeper. CVE-2023-34246[0]: | Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior | to version 5.6.6, Doorkeeper automatically processes authorization | requests without user consent for public clients that have been | previous approved. Public clients are inherently vulnerable to | impersonation, their identity cannot be assured. This issue is fixed | in version 5.6.6. https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w https://github.com/doorkeeper-gem/doorkeeper/issues/1589 https://github.com/doorkeeper-gem/doorkeeper/pull/1646 Fixed by: https://github.com/doorkeeper-gem/doorkeeper/commit/f202079baac4c978a01ccc9a45d78fde368ac907 (v5.6.6) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-34246 https://www.cve.org/CVERecord?id=CVE-2023-34246 Please adjust the affected versions in the BTS as needed.
