Vulnerability Details : CVE-2016-6582
The Doorkeeper gem before 4.2.0 for Ruby might allow remote attackers to conduct replay attacks or revoke arbitrary tokens by leveraging failure to implement the OAuth 2.0 Token Revocation specification.
Products affected by CVE-2016-6582
- cpe:2.3:a:doorkeeper_project:doorkeeper:*:*:*:*:*:ruby:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-6582
1.19%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 77 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-6582
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:P |
10.0
|
4.9
|
NIST | |
|
9.1
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
3.9
|
5.2
|
NIST |
CWE ids for CVE-2016-6582
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-6582
-
http://seclists.org/fulldisclosure/2016/Aug/105
Full Disclosure: [CVE-2016-6582] Doorkeeper gem does not revoke tokens & uses wrong auth/auth methodMailing List;Patch;Third Party Advisory
-
http://www.securityfocus.com/bid/92551
Doorkeeper CVE-2016-6582 Security Bypass VulnerabilityThird Party Advisory;VDB Entry
-
https://github.com/doorkeeper-gem/doorkeeper/releases/tag/v4.2.0
Release v4.2.0 · doorkeeper-gem/doorkeeper · GitHubIssue Tracking;Patch;Third Party Advisory;Release Notes
-
http://packetstormsecurity.com/files/138430/Doorkeeper-4.1.0-Token-Revocation.html
Doorkeeper 4.1.0 Token Revocation ≈ Packet StormThird Party Advisory;VDB Entry
-
http://www.securityfocus.com/archive/1/539268/100/0/threaded
SecurityFocus
-
https://github.com/doorkeeper-gem/doorkeeper/issues/875
Token revocation uses wrong authorization method · Issue #875 · doorkeeper-gem/doorkeeper · GitHubIssue Tracking;Patch;Third Party Advisory
Jump to