CVE-2018-1000211

HIGH7.5EPSS 0.27%

Doorkeeper subject to Incorrect Permission Assignment

Published: 8/13/2018Modified: 4/28/2026

Also known as:GHSA-694m-jhr9-pf77DEBIAN-CVE-2018-1000211

Description

Doorkeeper version 4.2.0 and later contains a Incorrect Access Control vulnerability in Token revocation API's authorized method that can result in Access tokens are not revoked for public OAuth apps, leaking access until expiry.

Affected packages (2)

Debian/ruby-doorkeeperfrom 0, < 4.4.2-1
RubyGems/doorkeeper>= 4.2.0, < 4.4.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (6)

ADVISORYhttps://github.com/advisories/GHSA-694m-jhr9-pf77
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-1000211
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2018-1000211
PATCHhttps://github.com/doorkeeper-gem/doorkeeper
WEBhttps://github.com/doorkeeper-gem/doorkeeper/issues/891
WEBhttps://github.com/doorkeeper-gem/doorkeeper/pull/1119