Insufficient Token Expiration

Affecting doorkeeper gem, versions >=4.2.0, <4.4.0 || =5.0.0.rc1

high severity

Overview

doorkeeper is an OAuth 2 provider for Rails and Grape.

Affected versions of this package are vulnerable to Insufficient Token Expiration. All OAuth applications using public or non-confidential authentication when interacting with Doorkeeper would attempt to authenticate the public OAuth client as if it were a confidential app. This would cause the token to not be revoked from the endpoint, and the token could be used for the remainder of that token's lifetime.

Remediation

Upgrade to version 4.4.0, 5.0.0.rc2 or higher

References

Do your applications use this vulnerable package?

Credit
Roberto Ostinelli
CVE
CVE-2018-1000211
CWE
CWE-613
Snyk ID
SNYK-RUBY-DOORKEEPER-22044
Disclosed
16 Jul, 2018
Published
19 Jul, 2018