Search for packages
| purl | pkg:deb/debian/ruby-doorkeeper@4.2.0-3 |
| Next non-vulnerable version | 5.5.0-2+deb12u1 |
| Latest non-vulnerable version | 5.5.0-2+deb12u1 |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-bss3-b2mz-gyg6
Aliases: CVE-2023-34246 GHSA-7w2c-w47h-789w |
Doorkeeper Improper Authentication vulnerability OAuth RFC 8252 says https://www.rfc-editor.org/rfc/rfc8252#section-8.6 > the authorization server SHOULD NOT process authorization requests automatically without user consent or interaction, except when the identity of the client can be assured. **This includes the case where the user has previously approved an authorization request for a given client id** But Doorkeeper automatically processes authorization requests without user consent for public clients that have been previously approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured. Issue https://github.com/doorkeeper-gem/doorkeeper/issues/1589 Fix https://github.com/doorkeeper-gem/doorkeeper/pull/1646 |
Affected by 0 other vulnerabilities. |
|
VCID-jqsd-ye8h-hfd1
Aliases: CVE-2018-1000211 GHSA-694m-jhr9-pf77 |
Incorrect Permission Assignment for Critical Resource Doorkeeper contains a vulnerability in Token revocation API's authorized method that can result in Access tokens are not revoked for public OAuth apps, leaking access until expiry. |
Affected by 2 other vulnerabilities. |
|
VCID-kkj7-z9k5-5qe2
Aliases: CVE-2020-10187 GHSA-j7vx-8mqj-cqp9 |
Doorkeeper application secret information disclosure vulnerability Information disclosure vulnerability. Allows an attacker to see all Doorkeeper::Application model attribute values (including secrets) after authorizing an application to their user. An application is vulnerable if the authorized applications controller is enabled (GET /oauth/authorized_applications.json). Recommended additional hardening for >= 5.1 is to enable application secrets hashing. This would render the exposed secret useless. |
Affected by 1 other vulnerability. |
|
VCID-vfr9-mu8k-rbg5
Aliases: CVE-2018-1000088 GHSA-hwhh-2fwm-cfgw |
XSS on authorization consent view Stored XSS on the OAuth Client's name will cause users being prompted for consent via the `implicit` grant type to execute the XSS payload. The XSS attack could gain access to the user's active session, resulting in account compromise. Any user is susceptible if they click the authorization link for the malicious OAuth client. Because of how the links work, a user cannot tell if a link is malicious or not without first visiting the page with the XSS payload. In addition, there is stored XSS in the `native_redirect_uri` form element. |
Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-06T09:35:56.329564+00:00 | Debian Oval Importer | Affected by | VCID-bss3-b2mz-gyg6 | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 38.6.0 |
| 2026-06-06T03:45:39.042907+00:00 | Debian Oval Importer | Affected by | VCID-vfr9-mu8k-rbg5 | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 38.6.0 |
| 2026-06-06T01:04:01.152291+00:00 | Debian Oval Importer | Affected by | VCID-jqsd-ye8h-hfd1 | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 38.6.0 |
| 2026-06-06T00:19:29.830086+00:00 | Debian Oval Importer | Affected by | VCID-kkj7-z9k5-5qe2 | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 38.6.0 |