Doorkeeper Improper Authentication vulnerability
Moderate severity
GitHub Reviewed
Published
Jun 12, 2023
in
doorkeeper-gem/doorkeeper
•
Updated Dec 9, 2024
Description
Published by the National Vulnerability Database
Jun 12, 2023
Published to the GitHub Advisory Database
Jun 12, 2023
Reviewed
Jun 12, 2023
Last updated
Dec 9, 2024
OAuth RFC 8252 says https://www.rfc-editor.org/rfc/rfc8252#section-8.6
But Doorkeeper automatically processes authorization requests without user consent for public clients that have been previously approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured.
Issue doorkeeper-gem/doorkeeper#1589
Fix doorkeeper-gem/doorkeeper#1646
References