---
gem: doorkeeper
cve: 2014-8144
osvdb: 116010
url: https://groups.google.com/forum/#!topic/ruby-security-ann/5_VqJtNc8jw
title: |
  Cross-site request forgery (CSRF) vulnerability in doorkeeper 1.4.0
  and earlier.
date: 2014-12-18

description: |
  Cross-site request forgery (CSRF) vulnerability in doorkeeper 1.4.0
  and earlier allows remote attackers to hijack the user's OAuth
  autorization code. This vulnerability has been assigned the CVE
  identifier CVE-2014-8144.

  Doorkeeper's endpoints didn't have CSRF protection. Any HTML document
  on the Internet can then read a user's authorization code with
  arbitrary scope from any Doorkeeper-compatible Rails app you are
  logged in.

cvss_v2: 6.8

patched_versions:
  - ~> 1.4.1
  - ">= 2.0.0"