title: Doorkeeper gem does not revoke token for public clients
Any OAuth application that uses public/non-confidential authentication when
interacting with Doorkeeper is unable to revoke its tokens when calling the
A bug in the token revocation API would cause it to attempt to authenticate
the public OAuth client as if it was a confidential app. Because of this, the
token is never revoked.
The impact of this is the access or refresh token is not revoked, leaking
access to protected resources for the remainder of that token's lifetime.
If Doorkeeper is used to facilitate public OAuth apps and leverage token
revocation functionality, upgrade to the patched versions immediately.
Credit to Roberto Ostinelli for discovery, Justin Bull for the fixes.
DWF has assigned CVE-2018-1000211.
- "< 4.2.0"
- ">= 4.4.0"
- ">= 5.0.0.rc2"
url: '["https://github.com/doorkeeper-gem/doorkeeper/issues/891", "https://github.com/doorkeeper-gem/doorkeeper/pull/1119",