RubySec

Providing security resources for the Ruby community

CVE-2018-1000211 (doorkeeper): Doorkeeper gem does not revoke token for public clients

ADVISORIES

GEM

doorkeeper

SEVERITY

CVSS v3: 7.5

UNAFFECTED VERSIONS

  • < 4.2.0

PATCHED VERSIONS

  • >= 4.4.0
  • >= 5.0.0.rc2

DESCRIPTION

Any OAuth application that uses public/non-confidential authentication when interacting with Doorkeeper is unable to revoke its tokens when calling the revocation endpoint.

A bug in the token revocation API would cause it to attempt to authenticate the public OAuth client as if it was a confidential app. Because of this, the token is never revoked.

The impact of this is the access or refresh token is not revoked, leaking access to protected resources for the remainder of that token’s lifetime.

If Doorkeeper is used to facilitate public OAuth apps and leverage token revocation functionality, upgrade to the patched versions immediately.

Credit to Roberto Ostinelli for discovery, Justin Bull for the fixes.

DWF has assigned CVE-2018-1000211.