Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNtNnItMzlwMy1qcTI1
Doorkeeper is vulnerable to replay attacks
The Doorkeeper gem before 4.2.0 for Ruby might allow remote attackers to conduct replay attacks or revoke arbitrary tokens by leveraging failure to implement the OAuth 2.0 Token Revocation specification.
Permalink: https://github.com/advisories/GHSA-3m6r-39p3-jq25JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNtNnItMzlwMy1qcTI1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 7 years ago
Updated: over 1 year ago
CVSS Score: 9.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Percentage: 0.01332
EPSS Percentile: 0.85748
Identifiers: GHSA-3m6r-39p3-jq25, CVE-2016-6582
References:
- https://nvd.nist.gov/vuln/detail/CVE-2016-6582
- https://github.com/doorkeeper-gem/doorkeeper/issues/875
- https://github.com/advisories/GHSA-3m6r-39p3-jq25
- https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v4.2.0
- http://packetstormsecurity.com/files/138430/Doorkeeper-4.1.0-Token-Revocation.html
- http://seclists.org/fulldisclosure/2016/Aug/105
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/doorkeeper/CVE-2016-6582.yml
- https://web.archive.org/web/20170214021758/http://www.securityfocus.com/bid/92551
- https://web.archive.org/web/20201207202519/http://www.securityfocus.com/archive/1/539268/100/0/threaded
- http://www.openwall.com/lists/oss-security/2016/08/19/2
Blast Radius: 34.0
Affected Packages
rubygems:doorkeeper
Dependent packages: 41Dependent repositories: 5,403
Downloads: 80,157,224 total
Affected Version Ranges: < 4.2.0
Fixed in: 4.2.0
All affected versions: 0.1.0, 0.1.1, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 3.0.0, 3.0.1, 3.1.0, 4.0.0, 4.1.0
All unaffected versions: 4.2.0, 4.2.5, 4.2.6, 4.3.0, 4.3.1, 4.3.2, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.4.0, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.6.0, 5.6.1, 5.6.2, 5.6.3, 5.6.4, 5.6.5, 5.6.6, 5.6.7, 5.6.8, 5.6.9, 5.7.0, 5.7.1, 5.8.0, 5.8.1