Name | CVE-2018-1000211 |
Description | Doorkeeper version 4.2.0 and later contains a Incorrect Access Control vulnerability in Token revocation API's authorized method that can result in Access tokens are not revoked for public OAuth apps, leaking access until expiry. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Debian Bugs | 903980 |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
ruby-doorkeeper (PTS) | bullseye | 5.3.0-2 | fixed |
| bookworm | 5.5.0-2 | fixed |
| sid, trixie | 5.6.6-2 | fixed |
The information below is based on the following data on fixed versions.
Notes
[stretch] - ruby-doorkeeper <ignored> (Minor issue, invasive, no reverse dependencies, require changes in calling code)
https://github.com/doorkeeper-gem/doorkeeper/issues/891
https://github.com/doorkeeper-gem/doorkeeper/pull/1119
https://github.com/doorkeeper-gem/doorkeeper/commit/16e76e666b63e0e5e2704dd45b59e426190ddc78 (v4.4.0)
Requires changes in the reverse dependencies