From e4382622f5e02e302b5a17de248dea80f38669a1 Mon Sep 17 00:00:00 2001
From: Justin Bull <justin@wealthsimple.com>
Date: Mon, 16 Jul 2018 12:14:44 -0400
Subject: [PATCH] Add CVE-2018-1000211 for Doorkeeper

---
 gems/doorkeeper/CVE-2018-1000211.yml | 39 ++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 gems/doorkeeper/CVE-2018-1000211.yml

diff --git a/gems/doorkeeper/CVE-2018-1000211.yml b/gems/doorkeeper/CVE-2018-1000211.yml
new file mode 100644
index 0000000000..f1374accfd
--- /dev/null
+++ b/gems/doorkeeper/CVE-2018-1000211.yml
@@ -0,0 +1,39 @@
+---
+gem: doorkeeper
+cve: 2018-1000211
+date: 2018-07-11
+url: "https://blog.justinbull.ca/cve-2018-1000211-public-apps-cant-revoke-tokens-in-doorkeeper/"
+
+title: Doorkeeper gem does not revoke token for public clients
+
+description: |
+  Any OAuth application that uses public/non-confidential authentication when
+  interacting with Doorkeeper is unable to revoke its tokens when calling the
+  revocation endpoint.
+
+  A bug in the token revocation API would cause it to attempt to authenticate
+  the public OAuth client as if it was a confidential app. Because of this, the
+  token is never revoked.
+
+  The impact of this is the access or refresh token is not revoked, leaking
+  access to protected resources for the remainder of that token's lifetime.
+
+  If Doorkeeper is used to facilitate public OAuth apps and leverage token
+  revocation functionality, upgrade to the patched versions immediately.
+
+  Credit to Roberto Ostinelli for discovery, Justin Bull for the fixes.
+
+  DWF has assigned CVE-2018-1000211.
+
+unaffected_versions:
+  - "< 4.2.0"
+
+patched_versions:
+  - ">= 4.4.0"
+  - ">= 5.0.0.rc2"
+
+related:
+  url:
+    - https://github.com/doorkeeper-gem/doorkeeper/issues/891
+    - https://github.com/doorkeeper-gem/doorkeeper/pull/1119
+    - https://github.com/doorkeeper-gem/doorkeeper/pull/1120