Sha256: aa4f6b5f6bb84e6f472abb2dde3274889e4dbb3f79755cfd41116f9f5abf264d
Contents?: true
Size: 1.27 KB
Versions: 3
Compression:
Stored size: 1.27 KB
Contents
---
gem: doorkeeper
cve: 2018-1000211
date: 2018-07-11
url: "https://blog.justinbull.ca/cve-2018-1000211-public-apps-cant-revoke-tokens-in-doorkeeper/"
title: Doorkeeper gem does not revoke token for public clients
description: |
Any OAuth application that uses public/non-confidential authentication when
interacting with Doorkeeper is unable to revoke its tokens when calling the
revocation endpoint.
A bug in the token revocation API would cause it to attempt to authenticate
the public OAuth client as if it was a confidential app. Because of this, the
token is never revoked.
The impact of this is the access or refresh token is not revoked, leaking
access to protected resources for the remainder of that token's lifetime.
If Doorkeeper is used to facilitate public OAuth apps and leverage token
revocation functionality, upgrade to the patched versions immediately.
Credit to Roberto Ostinelli for discovery, Justin Bull for the fixes.
DWF has assigned CVE-2018-1000211.
unaffected_versions:
- "< 4.2.0"
patched_versions:
- ">= 4.4.0"
- ">= 5.0.0.rc2"
related:
url:
- https://github.com/doorkeeper-gem/doorkeeper/issues/891
- https://github.com/doorkeeper-gem/doorkeeper/pull/1119
- https://github.com/doorkeeper-gem/doorkeeper/pull/1120
Version data entries
3 entries across 3 versions & 2 rubygems