CVE-2016-6582
CRITICALDoorkeeper < 4.2.0 - OAuth Token Replay and Arbitrary Revocation via Missing Revocation Specification
Title source: llmDescription
The Doorkeeper gem before 4.2.0 for Ruby might allow remote attackers to conduct replay attacks or revoke arbitrary tokens by leveraging failure to implement the OAuth 2.0 Token Revocation specification.
References (6)
Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/92551
Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/138430/Doorkeeper-4.1.0-Token-Revocation.html
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/539268/100/0/threaded
Mailing List, Patch, Third Party Advisory mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2016/Aug/105
Issue Tracking, Patch, Release Notes, Third Party Advisory x_refsource_confirm
https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v4.2.0
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/doorkeeper-gem/doorkeeper/issues/875
Scores
CVSS v3
9.1
EPSS
0.0101
EPSS Percentile
77.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Details
CWE
CWE-254
Status
published
Products (2)
doorkeeper_project/doorkeeper
< 4.1.0
rubygems/doorkeeper
0 - 4.2.0RubyGems
Published
Jan 23, 2017
Tracked Since
Feb 18, 2026