ADVISORIES

• CVE-2014-8144 (NVD)
• GHSA-685w-vc84-wxcx
• OSVDB-116010
• Vendor Advisory

GEM

doorkeeper

SEVERITY

CVSS v2.0: 6.8 (Medium)

PATCHED VERSIONS

• ~> 1.4.1
• >= 2.0.0

DESCRIPTION

Cross-site request forgery (CSRF) vulnerability in doorkeeper 1.4.0 and earlier allows remote attackers to hijack the user’s OAuth autorization code. This vulnerability has been assigned the CVE identifier CVE-2014-8144.

Doorkeeper’s endpoints didn’t have CSRF protection. Any HTML document on the Internet can then read a user’s authorization code with arbitrary scope from any Doorkeeper-compatible Rails app you are logged in.