Doorkeeper gem does not revoke tokens & uses wrong auth/auth method


2017-06-16 19:20
CVE-2016-6582 ruby-doorkeeper
2017-04-01 19:10
2017-01-05 20:15


Doorkeeper failed to implement OAuth 2.0 Token Revocation (RFC 7009) in the
following ways:

1. Public clients making valid, unauthenticated calls to revoke a token
would not have their token revoked
2. Requests were not properly authenticating the *client credentials* but
were, instead, looking at the access token in a second location
3. Because of 2, the requests were also not authorizing confidential
clients' ability to revoke a given token. It should only revoke tokens
that belong to it.

The security implication is: OAuth 2.0 clients who "log out" a user expect
to have the corresponding access & refresh tokens revoked, preventing an
attacker who may have already hijacked the session from continuing to
impersonate the victim. Because of the bug described above, this is not the
case. As far as OWASP is concerned, this counts as broken authentication

MITRE has assigned CVE-2016-6582 due to the security issues raised. An
attacker, thanks to 1, can replay a hijacked session after a victim logs
out/revokes their token. Additionally, thanks to 2 & 3, an attacker via a
compromised confidential client could "grief" other clients by revoking
their tokens (albeit this is an exceptionally narrow attack with little

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Package Patched in Unaffected in
doorkeeper >= 4.2.0 < 1.2.0