Incorrect Authentication Implementation Affecting doorkeeper package, versions < 4.2.0, >= 1.2.0

Snyk CVSS

Attack Complexity Low

Integrity High

Availability High

Threat Intelligence

EPSS 1.14% (85^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-RUBY-DOORKEEPER-20272
published 17 Aug 2016
disclosed 17 Aug 2016
credit Justin Bull

Report a new vulnerability Found a mistake?

Introduced: 17 Aug 2016

CVE-2016-6582 Open this link in a new tab CWE-284 Open this link in a new tab

Overview

doorkeeper is an Oauth 2.0 provider for Rails and Grape.

Affected versions incorrectly implement Oauth 2.0 Token Revocation (RFC 7009). Specifically, public clients making an unauthenticated calls to revoke a token would not have their tokens revoked. In addition, a compromised confidential client can be used to revoke tokens of other users.

Incorrect Authentication Implementation Affecting doorkeeper package, versions < 4.2.0, >= 1.2.0

Snyk CVSS

Threat Intelligence

Introduced: 17 Aug 2016

Overview

References