CVE-2023-34246: 
Ruby vulnerability analysis and mitigation

Doorkeeper, an OAuth 2 provider for Ruby on Rails / Grape, was found to have a vulnerability (CVE-2023-34246) prior to version 5.6.6. The issue was discovered where Doorkeeper automatically processed authorization requests without user consent for public clients that had been previously approved. The vulnerability was disclosed on June 12, 2023, and affects all versions of Doorkeeper before 5.6.6 (GitHub Advisory).

The vulnerability stems from an improper authentication mechanism where Doorkeeper would skip user consent for previously approved public clients. According to RFC 8252 section 8.6, authorization servers should not process authorization requests automatically without user consent when the client's identity cannot be assured. Public clients are inherently vulnerable to impersonation, making this automatic processing a security risk. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N by NIST NVD, while GitHub assessed it with a score of 4.2 (MEDIUM) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N (NVD).

The vulnerability could allow an attacker to impersonate another user and obtain sensitive information by exploiting the automatic authorization process for public clients. This impacts the confidentiality and integrity of the system, as indicated by the CVSS scoring which shows Low impact on both Confidentiality and Integrity (Ubuntu Security).

The vulnerability has been fixed in Doorkeeper version 5.6.6. The fix involves blocking public clients from automatic authorization skip functionality. Users are strongly recommended to upgrade to version 5.6.6 or later. Multiple Linux distributions have also released security updates to address this vulnerability, including Debian and Ubuntu (Debian Advisory, Ubuntu Notice).