CVE-2023-34246

Name of the Vulnerable Software and Affected Versions Doorkeeper versions prior to 5.6.6

Description The issue concerns Doorkeeper, an OAuth 2 provider for Ruby on Rails and Grape, which automatically processes authorization requests without user consent for public clients that have been previously approved. Public clients are inherently vulnerable to impersonation, as their identity cannot be assured. This behavior contradicts the OAuth RFC 8252, which states that the authorization server should not process authorization requests automatically without user consent or interaction, except when the identity of the client can be assured.

Recommendations For versions prior to 5.6.6, update to version 5.6.6 to resolve the issue. As a temporary workaround, consider disabling automatic processing of authorization requests for public clients until the update is applied. Restrict access to public clients to minimize the risk of impersonation. Avoid relying solely on previous approvals for public clients, and ensure user consent is obtained for each authorization request.