Class: Dawn::Kb::CVE_2016_6582

Inherits:
Object
  • Object
show all
Includes:
DependencyCheck
Defined in:
lib/dawn/kb/cve_2016_6582.rb

Overview

Automatically created with rake on 2016-10-02

Constant Summary

Constants included from BasicCheck

BasicCheck::ALLOWED_FAMILIES

Instance Attribute Summary

Attributes included from DependencyCheck

#aux_mitigation_gem, #dependencies, #not_affected, #safe_dependencies, #save_major, #save_minor

Attributes included from BasicCheck

#applies, #aux_links, #check_family, #cve, #cvss, #cwe, #debug, #evidences, #fixes_version, #kind, #message, #mitigated, #name, #osvdb, #owasp, #priority, #release_date, #remediation, #ruby_version, #ruby_vulnerable_versions, #severity, #status, #target_version, #title

Instance Method Summary collapse

Methods included from DependencyCheck

#vuln?

Methods included from BasicCheck

#applies_to?, #cve_link, #cvss_score, families, #family, #family=, #lint, #mitigated?, #nvd_link, #osvdb_link, #rubysec_advisories_link

Methods included from Utils

#__debug_me_and_return, #debug_me, #debug_me_and_return_false, #debug_me_and_return_true

Constructor Details

#initializeCVE_2016_6582

include RubyVersionCheck


10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# File 'lib/dawn/kb/cve_2016_6582.rb', line 10

def initialize
  title   = "Doorkeeper gem does not revoke tokens & uses wrong auth/auth method"
  message = "Doorkeeper failed to implement OAuth 2.0 Token Revocation (RFC 7009) in the following ways:

Public clients making valid, unauthenticated calls to revoke a token would not have their token revoked
Requests were not properly authenticating the client credentials but were, instead, looking at the access token in a second location
Because of 2, the requests were also not authorizing confidential clients’ ability to revoke a given token. It should only revoke tokens that belong to it.
The security implication is: OAuth 2.0 clients who \"log out\" a user expect to have the corresponding access & refresh tokens revoked, preventing an attacker who may have already hijacked the session from continuing to impersonate the victim. Because of the bug described above, this is not the case. As far as OWASP is concerned, this counts as broken authentication design.

MITRE has assigned CVE-2016-6582 due to the security issues raised. An attacker, thanks to 1, can replay a hijacked session after a victim logs out/revokes their token. Additionally, thanks to 2 & 3, an attacker via a compromised confidential client could \"grief\" other clients by revoking their tokens (albeit this is an exceptionally narrow attack with little value)."


  super({
    :title=>title,
    :name=> "CVE-2016-6582",
    :cve=>"",
    :osvdb=>"",
    :cvss=>"",
    :release_date => Date.new(2016, 8, 18),
    :cwe=>"",
    :owasp=>"A9",
    :applies=>["rails", "sinatra", "padrino"],
    :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
    :message=>message,
    :mitigation=>"Please upgrade doorkeeper gem to version 4.2.0 or later.",
    :aux_links=>['http://www.openwall.com/lists/oss-security/2016/08/19/2']
  })
  self.safe_dependencies = [{:name=>"doorkeeper", :version=>['4.2.0']}]


end