CVE-2018-1000211

HIGH

Doorkeeper >=4.2.0 - Info Disclosure

Title source: llm

Description

Doorkeeper version 4.2.0 and later contains a Incorrect Access Control vulnerability in Token revocation API's authorized method that can result in Access tokens are not revoked for public OAuth apps, leaking access until expiry.

References (2)

Core 2

Core References

Third Party Advisory x_refsource_confirm

https://github.com/doorkeeper-gem/doorkeeper/pull/1119

Third Party Advisory x_refsource_confirm

https://github.com/doorkeeper-gem/doorkeeper/issues/891

Scores

CVSS v3 7.5

EPSS 0.0027

EPSS Percentile 49.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-732

Status published

Products (2)

doorkeeper_project/doorkeeper < 4.2.0

rubygems/doorkeeper 4.2.0 - 4.4.0RubyGems

Published Jul 13, 2018

Tracked Since Feb 18, 2026