Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWo3dngtOG1xai1jcXA5
Exposure of Sensitive Information to an Unauthorized Actor in Doorkeeper
Impact
Information disclosure vulnerability. Allows an attacker to see all Doorkeeper::Application model attribute values (including secrets) using authorized applications controller if it's enabled (GET /oauth/authorized_applications.json).
Patches
These versions have the fix:
- 5.0.3
- 5.1.1
- 5.2.5
- 5.3.2
Workarounds
Patch Doorkeeper::Application model #as_json(options = {}) method and define only those attributes you want to expose.
Additional recommended hardening is to enable application secrets hashing (guide), available since Doorkeeper 5.1. This would render the exposed secret useless.
References
- Commit with fix: https://github.com/doorkeeper-gem/doorkeeper/commit/25d038022c2fcad45af5b73f9d003cf38ff491f6
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10187
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWo3dngtOG1xai1jcXA5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 4 years ago
Updated: over 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Percentage: 0.0017
EPSS Percentile: 0.54501
Identifiers: GHSA-j7vx-8mqj-cqp9, CVE-2020-10187
References:
- https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-j7vx-8mqj-cqp9
- https://nvd.nist.gov/vuln/detail/CVE-2020-10187
- https://github.com/rubysec/ruby-advisory-db/pull/446
- https://github.com/doorkeeper-gem/doorkeeper/commit/25d038022c2fcad45af5b73f9d003cf38ff491f6
- https://github.com/doorkeeper-gem/doorkeeper/releases
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/doorkeeper/CVE-2020-10187.yml
- https://github.com/advisories/GHSA-j7vx-8mqj-cqp9
Blast Radius: 28.0
Affected Packages
rubygems:doorkeeper
Dependent packages: 41Dependent repositories: 5,403
Downloads: 81,959,677 total
Affected Version Ranges: >= 5.3.0, < 5.3.2, >= 5.2.0, < 5.2.5, = 5.1.0, >= 5.0.0, < 5.0.3
Fixed in: 5.3.2, 5.2.5, 5.1.1, 5.0.3
All affected versions: 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.3.0, 5.3.1
All unaffected versions: 0.1.0, 0.1.1, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 3.0.0, 3.0.1, 3.1.0, 4.0.0, 4.1.0, 4.2.0, 4.2.5, 4.2.6, 4.3.0, 4.3.1, 4.3.2, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 5.0.3, 5.1.1, 5.1.2, 5.2.5, 5.2.6, 5.3.2, 5.3.3, 5.4.0, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.6.0, 5.6.1, 5.6.2, 5.6.3, 5.6.4, 5.6.5, 5.6.6, 5.6.7, 5.6.8, 5.6.9, 5.7.0, 5.7.1, 5.8.0, 5.8.1