CVE-2019-9837

Name of the Vulnerable Software and Affected Versions Doorkeeper::OpenidConnect versions 1.4.x through 1.5.3

Description The issue allows for an open redirect via the redirect uri field in an OAuth authorization request, resulting in an error response when the 'openid' scope and a prompt=none value are used. This can be exploited for phishing attacks against the authorization flow.

Recommendations For versions 1.4.x through 1.5.3, consider restricting the use of the redirect uri field in OAuth authorization requests with the 'openid' scope and a prompt=none value to prevent open redirects. As a temporary workaround, restrict access to the authorization flow to minimize the risk of phishing attacks until a patch is available.