Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNtNnItMzlwMy1qcTI1

Doorkeeper is vulnerable to replay attacks

The Doorkeeper gem before 4.2.0 for Ruby might allow remote attackers to conduct replay attacks or revoke arbitrary tokens by leveraging failure to implement the OAuth 2.0 Token Revocation specification.

Permalink: https://github.com/advisories/GHSA-3m6r-39p3-jq25
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNtNnItMzlwMy1qcTI1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 7 years ago
Updated: about 1 year ago

CVSS Score: 9.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Identifiers: GHSA-3m6r-39p3-jq25, CVE-2016-6582
References:

Repository: https://github.com/doorkeeper-gem/doorkeeper
Blast Radius: 34.0

Affected Packages

rubygems:doorkeeper

Dependent packages: 41
Dependent repositories: 5,403
Downloads: 78,208,136 total
Affected Version Ranges: < 4.2.0
Fixed in: 4.2.0
All affected versions: 0.1.0, 0.1.1, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 3.0.0, 3.0.1, 3.1.0, 4.0.0, 4.1.0
All unaffected versions: 4.2.0, 4.2.5, 4.2.6, 4.3.0, 4.3.1, 4.3.2, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.4.0, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.6.0, 5.6.1, 5.6.2, 5.6.3, 5.6.4, 5.6.5, 5.6.6, 5.6.7, 5.6.8, 5.6.9, 5.7.0, 5.7.1, 5.8.0