CVE-2016-6582

critical

Description

The Doorkeeper gem before 4.2.0 for Ruby might allow remote attackers to conduct replay attacks or revoke arbitrary tokens by leveraging failure to implement the OAuth 2.0 Token Revocation specification.

References

https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v4.2.0

https://github.com/doorkeeper-gem/doorkeeper/issues/875

http://www.securityfocus.com/bid/92551

http://www.securityfocus.com/archive/1/539268/100/0/threaded

http://seclists.org/fulldisclosure/2016/Aug/105

http://packetstormsecurity.com/files/138430/Doorkeeper-4.1.0-Token-Revocation.html

Details

Source: Mitre, NVD

Published: 2017-01-23

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Severity: Critical

Detections

Analytics