GHSA-694m-jhr9-pf77

Source

https://github.com/advisories/GHSA-694m-jhr9-pf77

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/08/GHSA-694m-jhr9-pf77/GHSA-694m-jhr9-pf77.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-694m-jhr9-pf77

Aliases

CVE-2018-1000211

Published

2018-08-13T20:46:41Z

Modified

2023-11-08T03:59:37.663503Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Doorkeeper subject to Incorrect Permission Assignment

Details

Doorkeeper version 4.2.0 and later contains a Incorrect Access Control vulnerability in Token revocation API's authorized method that can result in Access tokens are not revoked for public OAuth apps, leaking access until expiry.

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-732"
    ],
    "severity": "HIGH",
    "github_reviewed_at": "2020-06-16T21:18:42Z",
    "nvd_published_at": null
}

References

Affected packages

RubyGems / doorkeeper

Package

Name: doorkeeper
Purl: pkg:gem/doorkeeper

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.2.0

Fixed

4.4.0

Affected versions

4.*

4.2.0

4.2.5

4.2.6

4.3.0

4.3.1

4.3.2