Headline
Ubuntu Security Notice USN-6210-1
Ubuntu Security Notice 6210-1 - It was discovered that Doorkeeper incorrectly performed authorization checks for public clients that have been previous approved. An attacker could potentially exploit these in order to impersonate another user and obtain sensitive information.
==========================================================================
Ubuntu Security Notice USN-6210-1
July 07, 2023
ruby-doorkeeper vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.04
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
Summary:
Doorkeeper could be made to expose sensitive information over the
network.
Software Description:
- ruby-doorkeeper: OAuth 2 provider for Rails and Grape
Details:
It was discovered that Doorkeeper incorrectly performed authorization checks
for public clients that have been previous approved. An attacker could
potentially exploit these in order to impersonate another user and obtain
sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.04:
ruby-doorkeeper 5.5.0-2ubuntu0.23.04.1
Ubuntu 22.10:
ruby-doorkeeper 5.5.0-2ubuntu0.22.10.1
Ubuntu 22.04 LTS:
ruby-doorkeeper 5.5.0-2ubuntu0.22.04.1
Ubuntu 20.04 LTS:
ruby-doorkeeper 5.0.2-2ubuntu0.1
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
ruby-doorkeeper 4.3.1-1ubuntu0.1~esm1
Ubuntu 16.04 LTS (Available with Ubuntu Pro):
ruby-doorkeeper 2.2.1-1ubuntu0.1~esm1
After a standard system update you need to restart any applications using
Doorkeeper to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6210-1
CVE-2023-34246
Package Information:
https://launchpad.net/ubuntu/+source/ruby-doorkeeper/5.5.0-2ubuntu0.23.04.1
https://launchpad.net/ubuntu/+source/ruby-doorkeeper/5.5.0-2ubuntu0.22.10.1
https://launchpad.net/ubuntu/+source/ruby-doorkeeper/5.5.0-2ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/ruby-doorkeeper/5.0.2-2ubuntu0.1
Related news
OAuth RFC 8252 says https://www.rfc-editor.org/rfc/rfc8252#section-8.6 > the authorization server SHOULD NOT process authorization requests automatically without user consent or interaction, except when the identity of the client can be assured. **This includes the case where the user has previously approved an authorization request for a given client id** But Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured. Issue https://github.com/doorkeeper-gem/doorkeeper/issues/1589 Fix https://github.com/doorkeeper-gem/doorkeeper/pull/1646
Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured. This issue is fixed in version 5.6.6.