ADVISORIES
GEM
SEVERITY
CVSS v3.x: 5.4 (Medium)
CVSS v2.0: 5.5 (Medium)
UNAFFECTED VERSIONS
- < 5.0.0
PATCHED VERSIONS
- ~> 5.0.3
- ~> 5.1.1
- ~> 5.2.5
- >= 5.3.2
DESCRIPTION
Information disclosure vulnerability. Allows an attacker to see all Doorkeeper::Application model attribute values (including secrets) after authorizing an application to their user.
An application is vulnerable if the authorized applications controller is enabled (GET /oauth/authorized_applications.json).
Recommended additional hardening for >= 5.1 is to enable application secrets hashing. This would render the exposed secret useless.