CVSS v3: 7.5
- < 4.2.0
- >= 4.4.0
- >= 5.0.0.rc2
Any OAuth application that uses public/non-confidential authentication when interacting with Doorkeeper is unable to revoke its tokens when calling the revocation endpoint.
A bug in the token revocation API would cause it to attempt to authenticate the public OAuth client as if it was a confidential app. Because of this, the token is never revoked.
The impact of this is the access or refresh token is not revoked, leaking access to protected resources for the remainder of that token’s lifetime.
If Doorkeeper is used to facilitate public OAuth apps and leverage token revocation functionality, upgrade to the patched versions immediately.
Credit to Roberto Ostinelli for discovery, Justin Bull for the fixes.
DWF has assigned CVE-2018-1000211.