CVE-2020-10187 (doorkeeper): Doorkeeper application secret information disclosure vulnerability

ADVISORIES

CVE-2020-10187 (NVD)
GHSA-j7vx-8mqj-cqp9
Vendor Advisory

GEM

doorkeeper

SEVERITY

CVSS v3.x: 5.4 (Medium)

CVSS v2.0: 5.5 (Medium)

UNAFFECTED VERSIONS

< 5.0.0

PATCHED VERSIONS

~> 5.0.3
~> 5.1.1
~> 5.2.5
>= 5.3.2

DESCRIPTION

Information disclosure vulnerability. Allows an attacker to see all Doorkeeper::Application model attribute values (including secrets) after authorizing an application to their user.

An application is vulnerable if the authorized applications controller is enabled (GET /oauth/authorized_applications.json).

Recommended additional hardening for >= 5.1 is to enable application secrets hashing. This would render the exposed secret useless.

https://github.com/doorkeeper-gem/doorkeeper/commit/25d038022c2fcad45af5b73f9d003cf38ff491f6

RubySec