Merge pull request #343 from f3ndot/CVE-2018-1000211

phillmv · web-flow · commit e650ee18a67f · 2018-07-18T17:14:05.000-04:00
Add CVE-2018-1000211 for Doorkeeper
diff --git a/gems/doorkeeper/CVE-2018-1000211.yml b/gems/doorkeeper/CVE-2018-1000211.yml
@@ -0,0 +1,39 @@
+---
+gem: doorkeeper
+cve: 2018-1000211
+date: 2018-07-11
+url: "https://blog.justinbull.ca/cve-2018-1000211-public-apps-cant-revoke-tokens-in-doorkeeper/"
+
+title: Doorkeeper gem does not revoke token for public clients
+
+description: |
+  Any OAuth application that uses public/non-confidential authentication when
+  interacting with Doorkeeper is unable to revoke its tokens when calling the
+  revocation endpoint.
+
+  A bug in the token revocation API would cause it to attempt to authenticate
+  the public OAuth client as if it was a confidential app. Because of this, the
+  token is never revoked.
+
+  The impact of this is the access or refresh token is not revoked, leaking
+  access to protected resources for the remainder of that token's lifetime.
+
+  If Doorkeeper is used to facilitate public OAuth apps and leverage token
+  revocation functionality, upgrade to the patched versions immediately.
+
+  Credit to Roberto Ostinelli for discovery, Justin Bull for the fixes.
+
+  DWF has assigned CVE-2018-1000211.
+
+unaffected_versions:
+  - "< 4.2.0"
+
+patched_versions:
+  - ">= 4.4.0"
+  - ">= 5.0.0.rc2"
+
+related:
+  url:
+    - https://github.com/doorkeeper-gem/doorkeeper/issues/891
+    - https://github.com/doorkeeper-gem/doorkeeper/pull/1119
+    - https://github.com/doorkeeper-gem/doorkeeper/pull/1120
