Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: doorkeeper
date: 2018-07-11
url: https://blog.justinbull.ca/cve-2018-1000211-public-apps-cant-revoke-tokens-in-doorkeeper/
cve: 2018-1000211
title: Doorkeeper gem does not revoke token for public clients
description: |
  Any OAuth application that uses public/non-confidential authentication when
  interacting with Doorkeeper is unable to revoke its tokens when calling the
  revocation endpoint.

  A bug in the token revocation API would cause it to attempt to authenticate
  the public OAuth client as if it was a confidential app. Because of this, the
  token is never revoked.

  The impact of this is the access or refresh token is not revoked, leaking
  access to protected resources for the remainder of that token's lifetime.

  If Doorkeeper is used to facilitate public OAuth apps and leverage token
  revocation functionality, upgrade to the patched versions immediately.

  Credit to Roberto Ostinelli for discovery, Justin Bull for the fixes.

  DWF has assigned CVE-2018-1000211.
unaffected_versions:
- "< 4.2.0"
patched_versions:
- ">= 4.4.0"
- ">= 5.0.0.rc2"
related:
  url: '["https://github.com/doorkeeper-gem/doorkeeper/issues/891", "https://github.com/doorkeeper-gem/doorkeeper/pull/1119",
    "https://github.com/doorkeeper-gem/doorkeeper/pull/1120"]'