Ruby/doorkeeper/4.2.6

Doorkeeper is an OAuth 2 provider for Rails and Grape.

Repo Link: https://rubygems.org/gems/doorkeeper
License: MIT

4 Security Vulnerabilities

Doorkeeper subject to Incorrect Permission Assignment

Published date: 2018-08-13T20:46:41Z

CVE: CVE-2018-1000211

Links:

Doorkeeper version 4.2.0 and later contains a Incorrect Access Control vulnerability in Token revocation API's authorized method that can result in Access tokens are not revoked for public OAuth apps, leaking access until expiry.

Affected versions: ["4.3.2", "4.3.1", "4.3.0", "4.2.6", "4.2.5", "4.2.0"]

Secure versions: [5.6.6, 5.6.7, 5.6.8, 5.6.9, 5.7.0]

Recommendation: Update to version 5.7.0.

Doorkeeper Improper Authentication vulnerability

Published date: 2023-06-12T19:50:34Z

CVE: CVE-2023-34246

Links:

OAuth RFC 8252 says https://www.rfc-editor.org/rfc/rfc8252#section-8.6

the authorization server SHOULD NOT process authorization requests automatically without user consent or interaction, except when the identity of the client can be assured. This includes the case where the user has previously approved an authorization request for a given client id

But Doorkeeper automatically processes authorization requests without user consent for public clients that have been previously approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured.

Issue https://github.com/doorkeeper-gem/doorkeeper/issues/1589

Fix https://github.com/doorkeeper-gem/doorkeeper/pull/1646

Affected versions: ["5.5.0.rc1", "5.4.0", "5.4.0.rc2", "5.4.0.rc1", "5.3.3", "5.3.2", "5.3.1", "5.3.0", "5.2.6", "5.2.5", "5.2.4", "5.2.3", "5.2.2", "5.2.1", "5.2.0", "5.2.0.rc3", "5.2.0.rc2", "5.2.0.rc1", "5.1.2", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.rc1", "5.0.3", "5.0.2", "5.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "4.4.3", "4.4.2", "4.4.1", "4.4.0", "4.3.2", "4.3.1", "4.3.0", "4.2.6", "4.2.5", "4.2.0", "4.1.0", "4.0.0", "4.0.0.rc4", "4.0.0.rc3", "4.0.0.rc2", "4.0.0.rc1", "3.1.0", "3.0.1", "3.0.0", "3.0.0.rc2", "3.0.0.rc1", "2.2.2", "2.2.1", "2.2.0", "2.1.4", "2.1.3", "2.1.2", "2.1.1", "2.1.0", "2.0.1", "2.0.0", "2.0.0.rc3", "2.0.0.rc2", "2.0.0.alpha1", "1.4.2", "1.4.1", "1.4.0", "1.3.1", "1.3.0", "1.2.0", "1.1.0", "1.0.0", "1.0.0.rc2", "1.0.0.rc1", "0.7.4", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.7", "0.6.6", "0.6.5", "0.6.4", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.6.0.rc1", "0.5.0", "0.5.0.rc1", "0.4.2", "0.4.1", "0.4.0", "0.3.4", "0.3.3", "0.3.2", "0.3.1", "0.3.0", "0.2.0", "0.1.1", "0.1.0", "5.5.0.rc2", "5.5.0", "5.5.1", "5.5.2", "5.5.3", "5.5.4", "5.6.0.rc1", "5.6.0.rc2", "5.6.0", "5.6.1", "5.6.2", "5.6.3", "5.6.4", "5.6.5"]

Secure versions: [5.6.6, 5.6.7, 5.6.8, 5.6.9, 5.7.0]

Recommendation: Update to version 5.7.0.

Doorkeeper gem does not revoke token for public clients

Published date: 2018-07-11

CVE: 2018-1000211

CVSS V3: 7.5

Links:

https://blog.justinbull.ca/cve-2018-1000211-public-apps-cant-revoke-tokens-in-doorkeeper/

Any OAuth application that uses public/non-confidential authentication when interacting with Doorkeeper is unable to revoke its tokens when calling the revocation endpoint.

A bug in the token revocation API would cause it to attempt to authenticate the public OAuth client as if it was a confidential app. Because of this, the token is never revoked.

The impact of this is the access or refresh token is not revoked, leaking access to protected resources for the remainder of that token's lifetime.

If Doorkeeper is used to facilitate public OAuth apps and leverage token revocation functionality, upgrade to the patched versions immediately.

Credit to Roberto Ostinelli for discovery, Justin Bull for the fixes.

DWF has assigned CVE-2018-1000211.

Affected versions: ["4.3.2", "4.3.1", "4.3.0", "4.2.6", "4.2.5", "4.2.0"]

Secure versions: [5.6.6, 5.6.7, 5.6.8, 5.6.9, 5.7.0]

Recommendation: Update to version 5.7.0.

Doorkeeper Improper Authentication vulnerability

Published date: 2023-06-12

CVE: 2023-34246

CVSS V3: 4.2

Links:

https://github.com/advisories/GHSA-7w2c-w47h-789w

OAuth RFC 8252 says https://www.rfc-editor.org/rfc/rfc8252#section-8.6

the authorization server SHOULD NOT process authorization requests automatically without user consent or interaction, except when the identity of the client can be assured. This includes the case where the user has previously approved an authorization request for a given client id

But Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured.

Issue https://github.com/doorkeeper-gem/doorkeeper/issues/1589

Fix https://github.com/doorkeeper-gem/doorkeeper/pull/1646

Secure versions: [5.6.6, 5.6.7, 5.6.8, 5.6.9, 5.7.0]

Recommendation: Update to version 5.7.0.

119 Other Versions

Version	License	Security	Released
5.7.0	MIT		2024-04-24 - 10:44	20 days
5.6.9	MIT		2024-02-14 - 07:54	3 months
5.6.8	MIT		2023-12-01 - 16:02	5 months
5.6.7	MIT		2023-11-23 - 07:56	6 months
5.6.6	MIT		2023-03-29 - 07:19	about 1 year
5.6.5	MIT	2	2023-02-22 - 09:00	about 1 year
5.6.4	MIT	2	2023-01-31 - 07:24	over 1 year
5.6.3	MIT	2	2023-01-30 - 12:01	over 1 year
5.6.2	MIT	2	2022-11-29 - 08:19	over 1 year
5.6.1	MIT	2	2022-11-28 - 08:20	over 1 year
5.6.0	MIT	2	2022-09-08 - 06:32	over 1 year
5.6.0.rc2	MIT	2	2022-05-26 - 07:43	almost 2 years
5.6.0.rc1	MIT	2	2022-02-04 - 07:10	over 2 years
5.5.4	MIT	2	2021-10-05 - 13:57	over 2 years
5.5.3	MIT	2	2021-09-23 - 07:09	over 2 years
5.5.2	MIT	2	2021-06-11 - 07:26	almost 3 years
5.5.1	MIT	2	2021-04-06 - 15:52	about 3 years
5.5.0	MIT	2	2021-02-19 - 06:35	about 3 years
5.5.0.rc2	MIT	2	2021-01-21 - 17:31	over 3 years
5.5.0.rc1	MIT	2	2020-08-04 - 07:18	almost 4 years
5.4.0	MIT	2	2020-05-11 - 10:46	about 4 years
5.4.0.rc2	MIT	2	2020-05-02 - 13:27	about 4 years
5.4.0.rc1	MIT	2	2020-04-08 - 07:40	about 4 years
5.3.3	MIT	2	2020-05-07 - 19:17	about 4 years
5.3.2	MIT	2	2020-05-02 - 13:14	about 4 years
5.3.1	MIT	4	2020-02-09 - 09:42	over 4 years
5.3.0	MIT	4	2020-01-29 - 14:54	over 4 years
5.2.6	MIT	2	2020-05-07 - 19:20	about 4 years
5.2.5	MIT	2	2020-05-02 - 13:25	about 4 years
5.2.4	MIT	3	2020-02-09 - 09:49	over 4 years
5.2.3	MIT	3	2019-12-12 - 14:46	over 4 years
5.2.2	MIT	3	2019-11-10 - 10:17	over 4 years
5.2.1	MIT	3	2019-09-17 - 13:32	over 4 years
5.2.0	MIT	3	2019-09-16 - 08:31	over 4 years
5.2.0.rc3	MIT	2	2019-08-28 - 07:35	over 4 years
5.2.0.rc2	MIT	2	2019-06-17 - 08:27	almost 5 years
5.2.0.rc1	MIT	2	2019-05-23 - 15:17	almost 5 years
5.1.2	MIT	2	2020-10-19 - 07:54	over 3 years
5.1.1	MIT	2	2020-05-02 - 13:38	about 4 years
5.1.0	MIT	3	2019-04-17 - 14:35	about 5 years
5.1.0.rc2	MIT	2	2019-03-22 - 07:49	about 5 years
5.1.0.rc1	MIT	2	2019-01-17 - 08:41	over 5 years
5.0.3	MIT	2	2020-05-05 - 08:43	about 4 years
5.0.2	MIT	3	2018-10-25 - 09:25	over 5 years
5.0.1	MIT	3	2018-10-10 - 14:08	over 5 years
5.0.0	MIT	3	2018-08-24 - 13:55	over 5 years
5.0.0.rc2	MIT	2	2018-07-17 - 10:01	almost 6 years
5.0.0.rc1	MIT	2	2018-06-11 - 11:42	almost 6 years
4.4.3	MIT	2	2018-09-19 - 08:41	over 5 years
4.4.2	MIT	2	2018-08-20 - 15:24	over 5 years
4.4.1	MIT	2	2018-07-27 - 14:58	almost 6 years
4.4.0	MIT	2	2018-07-17 - 09:57	almost 6 years
4.3.2	MIT	4	2018-03-28 - 09:49	about 6 years
4.3.1	MIT	4	2018-03-03 - 09:44	about 6 years
4.3.0	MIT	4	2018-02-23 - 15:06	about 6 years
4.2.6	MIT	4	2017-05-26 - 00:08	almost 7 years
4.2.5	MIT	6	2017-02-12 - 16:09	about 7 years
4.2.0	MIT	6	2016-08-18 - 21:15	over 7 years
4.1.0	MIT	7	2016-07-29 - 23:09	almost 8 years
4.0.0	MIT	7	2016-07-01 - 21:31	almost 8 years
4.0.0.rc4	MIT	7	2016-05-17 - 18:14	almost 8 years
4.0.0.rc3	MIT	7	2016-04-20 - 22:23	about 8 years
4.0.0.rc2	MIT	7	2016-03-03 - 01:56	about 8 years
4.0.0.rc1	MIT	7	2016-02-26 - 03:36	about 8 years
3.1.0	MIT	7	2015-12-23 - 18:14	over 8 years
3.0.1	MIT	7	2015-09-24 - 03:49	over 8 years
3.0.0	MIT	7	2015-07-30 - 19:09	almost 9 years
3.0.0.rc2	MIT	7	2015-07-09 - 22:32	almost 9 years
3.0.0.rc1	MIT	7	2015-05-12 - 03:18	about 9 years
2.2.2	MIT	7	2015-07-30 - 19:15	almost 9 years
2.2.1	MIT	7	2015-05-05 - 02:12	about 9 years
2.2.0	MIT	7	2015-04-19 - 12:54	about 9 years
2.1.4	MIT	7	2015-03-27 - 16:14	about 9 years
2.1.3	MIT	7	2015-03-01 - 22:34	about 9 years
2.1.2	MIT	7	2015-02-26 - 02:39	about 9 years
2.1.1	MIT	8	2015-02-06 - 16:12	over 9 years
2.1.0	MIT	8	2015-01-13 - 20:40	over 9 years
2.0.1	MIT	6	2014-12-17 - 19:44	over 9 years
2.0.0	MIT	6	2014-12-16 - 21:03	over 9 years
2.0.0.rc3	MIT	7	2014-12-14 - 16:59	over 9 years
2.0.0.rc2	MIT	7	2014-12-09 - 13:18	over 9 years
2.0.0.alpha1	MIT	7	2014-10-11 - 21:04	over 9 years
1.4.2	MIT	5	2015-03-03 - 04:09	about 9 years
1.4.1	MIT	5	2014-12-17 - 13:13	over 9 years
1.4.0	MIT	6	2014-07-31 - 15:49	almost 10 years
1.3.1	MIT	8	2014-07-06 - 14:50	almost 10 years
1.3.0	MIT	8	2014-05-23 - 15:19	almost 10 years
1.2.0	MIT	8	2014-05-03 - 13:31	about 10 years
1.1.0	MIT	6	2014-03-29 - 17:43	about 10 years
1.0.0	MIT	6	2014-01-13 - 17:53	over 10 years
1.0.0.rc2	MIT	6	2014-01-09 - 20:02	over 10 years
1.0.0.rc1	MIT	6	2013-12-11 - 19:02	over 10 years
0.7.4	MIT	6	2013-12-01 - 18:57	over 10 years
0.7.3	MIT	6	2013-10-04 - 22:58	over 10 years
0.7.2	MIT	6	2013-09-11 - 00:43	over 10 years
0.7.1	MIT	6	2013-08-30 - 21:34	over 10 years
0.7.0	UNKNOWN	6	2013-08-22 - 03:04	over 10 years
0.6.7	UNKNOWN	6	2013-01-13 - 18:48	over 11 years
0.6.6	UNKNOWN	6	2013-01-04 - 14:29	over 11 years
0.6.5	UNKNOWN	6	2012-12-26 - 22:45	over 11 years