Cross-site request forgery (CSRF) vulnerability in doorkeeper 1.4.0 and earlier.

Metadata

medium
6.8
doorkeeper
CVE-2014-8144
groups.google.com
2014-12-18
2017-06-16 20:03
2017-06-16 19:12
2017-04-01 19:10
2017-01-05 20:15

Description

Cross-site request forgery (CSRF) vulnerability in doorkeeper 1.4.0
and earlier allows remote attackers to hijack the user's OAuth
autorization code. This vulnerability has been assigned the CVE
identifier CVE-2014-8144.

Doorkeeper's endpoints didn't have CSRF protection. Any HTML document
on the Internet can then read a user's authorization code with
arbitrary scope from any Doorkeeper-compatible Rails app you are
logged in.

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Package Patched in Unaffected in
doorkeeper ~> 1.4.1,>= 2.0.0 None