Skip to content

Add CVE-2018-1000211 for Doorkeeper#343

Merged
phillmv merged 1 commit intorubysec:masterfrom
f3ndot:CVE-2018-1000211
Jul 18, 2018
Merged

Add CVE-2018-1000211 for Doorkeeper#343
phillmv merged 1 commit intorubysec:masterfrom
f3ndot:CVE-2018-1000211

Conversation

@f3ndot
Copy link
Copy Markdown
Contributor

@f3ndot f3ndot commented Jul 16, 2018
edited
Loading

Merge pending the release of 5.0.0.rc2 and 4.4.0: doorkeeper-gem/doorkeeper#1120 (comment) they are now released

@phillmv
Copy link
Copy Markdown
Member

phillmv commented Jul 18, 2018

Dope, thanks.

@f3ndot how serious would say this vuln is?

@phillmv phillmv merged commit e650ee1 into rubysec:master Jul 18, 2018
@f3ndot
Copy link
Copy Markdown
Contributor Author

f3ndot commented Jul 24, 2018

@phillmv I think it's debatable/matter of perspective on the severity of this vuln.

I liken it to the logout button not working on a website, so that's pretty severe in terms of things not working as expected. However, in order to take advantage, the access and/or refresh tokens must be compromised-- an already difficult feat.

Ignoring the ease of which an attacker can get into the appropriate pre-conditions to leverage the attack, it's medium/high because the entire feature is, in fact, non-functional for all public apps.

@f3ndot f3ndot deleted the CVE-2018-1000211 branch July 24, 2018 13:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@f3ndot @phillmv