CVE-2014-8144 (doorkeeper): Cross-site request forgery (CSRF) vulnerability in doorkeeper 1.4.0 and earlier.

ADVISORIES

CVE-2014-8144 (NVD)
GHSA-685w-vc84-wxcx
OSVDB-116010
Vendor Advisory

GEM

doorkeeper

SEVERITY

CVSS v2.0: 6.8 (Medium)

PATCHED VERSIONS

~> 1.4.1
>= 2.0.0

DESCRIPTION

Cross-site request forgery (CSRF) vulnerability in doorkeeper 1.4.0 and earlier allows remote attackers to hijack the user's OAuth autorization code. This vulnerability has been assigned the CVE identifier CVE-2014-8144.

Doorkeeper's endpoints didn't have CSRF protection. Any HTML document on the Internet can then read a user's authorization code with arbitrary scope from any Doorkeeper-compatible Rails app you are logged in.

RubySec

CVE-2014-8144 (doorkeeper): Cross-site request forgery (CSRF) vulnerability in doorkeeper 1.4.0 and earlier.

ADVISORIES

GEM

SEVERITY

PATCHED VERSIONS

DESCRIPTION

Recent Advisories