RubySec

Providing security resources for the Ruby community

CVE-2020-10187 (doorkeeper): Doorkeeper application secret information disclosure vulnerability

ADVISORIES

GEM

doorkeeper

SEVERITY

CVSS v3: 5.4

CVSS v2: 5.5

UNAFFECTED VERSIONS

  • < 5.0.0

PATCHED VERSIONS

  • ~> 5.0.3
  • ~> 5.1.1
  • ~> 5.2.5
  • >= 5.3.2

DESCRIPTION

Information disclosure vulnerability. Allows an attacker to see all Doorkeeper::Application model attribute values (including secrets) after authorizing an application to their user.

An application is vulnerable if the authorized applications controller is enabled (GET /oauth/authorized_applications.json).

Recommended additional hardening for >= 5.1 is to enable application secrets hashing. This would render the exposed secret useless.