CVE-2020-10187 (doorkeeper): Doorkeeper application secret information disclosure vulnerability

Doorkeeper application secret information disclosure vulnerability

Published: May 02, 2020

SECURITY IDENTIFIERS

CVE: CVE-2020-10187 (NVD)
GHSA: GHSA-j7vx-8mqj-cqp9
Vendor Advisory: https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-j7vx-8mqj-cqp9

GEM

doorkeeper

SEVERITY

CVSS v3.x: 5.4 (Medium)

CVSS v2.0: 5.5 (Medium)

UNAFFECTED VERSIONS

< 5.0.0

PATCHED VERSIONS

~> 5.0.3 ~> 5.1.1 ~> 5.2.5 >= 5.3.2

DESCRIPTION

Information disclosure vulnerability. Allows an attacker to see all Doorkeeper::Application model attribute values (including secrets) after authorizing an application to their user.

An application is vulnerable if the authorized applications controller is enabled (GET /oauth/authorized_applications.json).

Recommended additional hardening for >= 5.1 is to enable application secrets hashing. This would render the exposed secret useless.

https://github.com/doorkeeper-gem/doorkeeper/commit/25d038022c2fcad45af5b73f9d003cf38ff491f6

RubySec