Description
Doorkeeper::OpenidConnect (aka the OpenID Connect extension for Doorkeeper) 1.4.x and 1.5.x before 1.5.4 has an open redirect via the redirect_uri field in an OAuth authorization request (that results in an error response) with the 'openid' scope and a prompt=none value. This allows phishing attacks against the authorization flow.
References (3)
Core 3
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/doorkeeper-gem/doorkeeper-openid_connect/pull/66
Third Party Advisory x_refsource_misc
https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/61
Third Party Advisory x_refsource_misc
https://github.com/doorkeeper-gem/doorkeeper-openid_connect/blob/master/CHANGELOG.md
Scores
CVSS v3
6.1
EPSS
0.0026
EPSS Percentile
49.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-601
Status
published
Products (2)
openid/openid_connect
1.4.0 - 1.5.4
rubygems/doorkeeper-openid_connect
1.4.0 - 1.5.4RubyGems
Published
Mar 21, 2019
Tracked Since
Feb 18, 2026