RubySec

Providing security resources for the Ruby community

CVE-2014-8144 (doorkeeper): Cross-site request forgery (CSRF) vulnerability in doorkeeper 1.4.0 and earlier.

ADVISORIES

GEM

doorkeeper

SEVERITY

CVSS v2: 6.8

PATCHED VERSIONS

  • ~> 1.4.1
  • >= 2.0.0

DESCRIPTION

Cross-site request forgery (CSRF) vulnerability in doorkeeper 1.4.0 and earlier allows remote attackers to hijack the user’s OAuth autorization code. This vulnerability has been assigned the CVE identifier CVE-2014-8144.

Doorkeeper’s endpoints didn’t have CSRF protection. Any HTML document on the Internet can then read a user’s authorization code with arbitrary scope from any Doorkeeper-compatible Rails app you are logged in.