Doorkeeper is vulnerable to replay attacks · CVE-2016-6582 · GitHub Advisory Database · GitHub

Doorkeeper is vulnerable to replay attacks

Critical severity GitHub Reviewed Published Oct 24, 2017 to the GitHub Advisory Database • Updated Aug 25, 2023

Package

doorkeeper (RubyGems)

Affected versions

< 4.2.0

Patched versions

4.2.0

Description

The Doorkeeper gem before 4.2.0 for Ruby might allow remote attackers to conduct replay attacks or revoke arbitrary tokens by leveraging failure to implement the OAuth 2.0 Token Revocation specification.

References

Published to the GitHub Advisory Database Oct 24, 2017

Reviewed Jun 16, 2020

Last updated Aug 25, 2023

Severity

Critical

9.1

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H