Sha256: bb820d04c11cbb3f524a307bfd566da6ab41d46425a3b55fee03fd886e36338b
Contents?: true
Size: 1.65 KB
Versions: 5
Compression:
Stored size: 1.65 KB
Contents
---
gem: doorkeeper
cve: 2016-6582
date: 2016-08-18
url: "http://www.openwall.com/lists/oss-security/2016/08/19/2"
title: Doorkeeper gem does not revoke tokens & uses wrong auth/auth method
description: |
Doorkeeper failed to implement OAuth 2.0 Token Revocation (RFC 7009) in the
following ways:
1. Public clients making valid, unauthenticated calls to revoke a token
would not have their token revoked
2. Requests were not properly authenticating the *client credentials* but
were, instead, looking at the access token in a second location
3. Because of 2, the requests were also not authorizing confidential
clients' ability to revoke a given token. It should only revoke tokens
that belong to it.
The security implication is: OAuth 2.0 clients who "log out" a user expect
to have the corresponding access & refresh tokens revoked, preventing an
attacker who may have already hijacked the session from continuing to
impersonate the victim. Because of the bug described above, this is not the
case. As far as OWASP is concerned, this counts as broken authentication
design.
MITRE has assigned CVE-2016-6582 due to the security issues raised. An
attacker, thanks to 1, can replay a hijacked session after a victim logs
out/revokes their token. Additionally, thanks to 2 & 3, an attacker via a
compromised confidential client could "grief" other clients by revoking
their tokens (albeit this is an exceptionally narrow attack with little
value).
unaffected_versions:
- "< 1.2.0"
patched_versions:
- ">= 4.2.0"
related:
url:
- https://github.com/doorkeeper-gem/doorkeeper/commit/fb938051777a3c9cb071e96fc66458f8f615bd53
Version data entries
5 entries across 5 versions & 2 rubygems