GSD-2018-1000211
Vulnerability from gsd - Updated: 2018-07-11 00:00Details
Any OAuth application that uses public/non-confidential authentication when
interacting with Doorkeeper is unable to revoke its tokens when calling the
revocation endpoint.
A bug in the token revocation API would cause it to attempt to authenticate
the public OAuth client as if it was a confidential app. Because of this, the
token is never revoked.
The impact of this is the access or refresh token is not revoked, leaking
access to protected resources for the remainder of that token's lifetime.
If Doorkeeper is used to facilitate public OAuth apps and leverage token
revocation functionality, upgrade to the patched versions immediately.
Credit to Roberto Ostinelli for discovery, Justin Bull for the fixes.
DWF has assigned CVE-2018-1000211.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2018-1000211",
"description": "Doorkeeper version 4.2.0 and later contains a Incorrect Access Control vulnerability in Token revocation API\u0027s authorized method that can result in Access tokens are not revoked for public OAuth apps, leaking access until expiry.",
"id": "GSD-2018-1000211"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "doorkeeper",
"purl": "pkg:gem/doorkeeper"
}
}
],
"aliases": [
"CVE-2018-1000211",
"GHSA-694m-jhr9-pf77"
],
"details": "Any OAuth application that uses public/non-confidential authentication when\ninteracting with Doorkeeper is unable to revoke its tokens when calling the\nrevocation endpoint.\n\nA bug in the token revocation API would cause it to attempt to authenticate\nthe public OAuth client as if it was a confidential app. Because of this, the\ntoken is never revoked.\n\nThe impact of this is the access or refresh token is not revoked, leaking\naccess to protected resources for the remainder of that token\u0027s lifetime.\n\nIf Doorkeeper is used to facilitate public OAuth apps and leverage token\nrevocation functionality, upgrade to the patched versions immediately.\n\nCredit to Roberto Ostinelli for discovery, Justin Bull for the fixes.\n\nDWF has assigned CVE-2018-1000211.\n",
"id": "GSD-2018-1000211",
"modified": "2018-07-11T00:00:00.000Z",
"published": "2018-07-11T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://blog.justinbull.ca/cve-2018-1000211-public-apps-cant-revoke-tokens-in-doorkeeper/"
},
{
"type": "WEB",
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/891"
},
{
"type": "WEB",
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/1119"
},
{
"type": "WEB",
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/1120"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 7.5,
"type": "CVSS_V3"
}
],
"summary": "Doorkeeper gem does not revoke token for public clients"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2018-07-10T20:50:24.886897",
"DATE_REQUESTED": "2018-07-10T20:32:02",
"ID": "CVE-2018-1000211",
"REQUESTER": "me@justinbull.ca",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Doorkeeper version 4.2.0 and later contains a Incorrect Access Control vulnerability in Token revocation API\u0027s authorized method that can result in Access tokens are not revoked for public OAuth apps, leaking access until expiry."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/pull/1119",
"refsource": "CONFIRM",
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/1119"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/issues/891",
"refsource": "CONFIRM",
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/891"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2018-1000211",
"cvss_v3": 7.5,
"date": "2018-07-11",
"description": "Any OAuth application that uses public/non-confidential authentication when\ninteracting with Doorkeeper is unable to revoke its tokens when calling the\nrevocation endpoint.\n\nA bug in the token revocation API would cause it to attempt to authenticate\nthe public OAuth client as if it was a confidential app. Because of this, the\ntoken is never revoked.\n\nThe impact of this is the access or refresh token is not revoked, leaking\naccess to protected resources for the remainder of that token\u0027s lifetime.\n\nIf Doorkeeper is used to facilitate public OAuth apps and leverage token\nrevocation functionality, upgrade to the patched versions immediately.\n\nCredit to Roberto Ostinelli for discovery, Justin Bull for the fixes.\n\nDWF has assigned CVE-2018-1000211.\n",
"gem": "doorkeeper",
"ghsa": "694m-jhr9-pf77",
"patched_versions": [
"\u003e= 4.4.0",
"\u003e= 5.0.0.rc2"
],
"related": {
"url": [
"https://github.com/doorkeeper-gem/doorkeeper/issues/891",
"https://github.com/doorkeeper-gem/doorkeeper/pull/1119",
"https://github.com/doorkeeper-gem/doorkeeper/pull/1120"
]
},
"title": "Doorkeeper gem does not revoke token for public clients",
"unaffected_versions": [
"\u003c 4.2.0"
],
"url": "https://blog.justinbull.ca/cve-2018-1000211-public-apps-cant-revoke-tokens-in-doorkeeper/"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c=4.2.0",
"affected_versions": "All versions up to 4.2.0",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-732",
"CWE-937"
],
"date": "2019-10-03",
"description": "Doorkeeper contains a vulnerability in Token revocation API\u0027s authorized method that can result in Access tokens are not revoked for public OAuth apps, leaking access until expiry.",
"fixed_versions": [
"4.2.5"
],
"identifier": "CVE-2018-1000211",
"identifiers": [
"CVE-2018-1000211"
],
"not_impacted": "All versions after 4.2.0",
"package_slug": "gem/doorkeeper",
"pubdate": "2018-07-13",
"solution": "Upgrade to version 4.2.5 or above.",
"title": "Incorrect Permission Assignment for Critical Resource",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2018-1000211"
],
"uuid": "000c563f-845d-43f5-b3ce-20faf7c842ab"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:doorkeeper_project:doorkeeper:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "4.2.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-1000211"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Doorkeeper version 4.2.0 and later contains a Incorrect Access Control vulnerability in Token revocation API\u0027s authorized method that can result in Access tokens are not revoked for public OAuth apps, leaking access until expiry."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/pull/1119",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/pull/1119"
},
{
"name": "https://github.com/doorkeeper-gem/doorkeeper/issues/891",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/doorkeeper-gem/doorkeeper/issues/891"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2019-10-03T00:03Z",
"publishedDate": "2018-07-13T18:29Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…