I originally had marked "master + memcache token driver" as "affected" because it returns a relatively bloated API response (as the other failing implementations do), however the response itself does not present a vulnerability because the "id" values are MD5-hashed as expected.
As far as I can tell, this API has never been previously documented or tested at all, hence the inconsistencies in implementation.
Final list of affected branches / drivers:
stable/grizzly + kvs token driver
stable/grizzly + memcache token driver
stable/folsom + kvs token driver
stable/folsom + memcache token driver
I originally had marked "master + memcache token driver" as "affected" because it returns a relatively bloated API response (as the other failing implementations do), however the response itself does not present a vulnerability because the "id" values are MD5-hashed as expected.
As far as I can tell, this API has never been previously documented or tested at all, hence the inconsistencies in implementation.