GHSA-J7VX-8MQJ-CQP9

Vulnerability from github – Published: 2020-05-07 21:11 – Updated: 2021-07-29 16:42
VLAI?
Summary
Exposure of Sensitive Information to an Unauthorized Actor in Doorkeeper
Details

Impact

Information disclosure vulnerability. Allows an attacker to see all Doorkeeper::Application model attribute values (including secrets) using authorized applications controller if it's enabled (GET /oauth/authorized_applications.json).

Patches

These versions have the fix:

  • 5.0.3
  • 5.1.1
  • 5.2.5
  • 5.3.2

Workarounds

Patch Doorkeeper::Application model #as_json(options = {}) method and define only those attributes you want to expose.

Additional recommended hardening is to enable application secrets hashing (guide), available since Doorkeeper 5.1. This would render the exposed secret useless.

References

  • Commit with fix: https://github.com/doorkeeper-gem/doorkeeper/commit/25d038022c2fcad45af5b73f9d003cf38ff491f6
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10187
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "doorkeeper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "doorkeeper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.1.0"
            },
            {
              "fixed": "5.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "5.1.0"
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "doorkeeper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.2.0"
            },
            {
              "fixed": "5.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "doorkeeper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.3.0"
            },
            {
              "fixed": "5.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-10187"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-05-07T21:09:24Z",
    "nvd_published_at": "2020-05-04T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nInformation disclosure vulnerability. Allows an attacker to see all `Doorkeeper::Application` model attribute values (including secrets) using authorized applications controller if it\u0027s enabled (GET /oauth/authorized_applications.json).\n\n### Patches\n\nThese versions have the fix:\n\n* 5.0.3\n* 5.1.1\n* 5.2.5\n* 5.3.2\n\n### Workarounds\nPatch `Doorkeeper::Application` model `#as_json(options = {})` method and define only those attributes you want to expose.\n\nAdditional recommended hardening is to enable application secrets hashing ([guide](https://doorkeeper.gitbook.io/guides/security/token-and-application-secrets)), available since Doorkeeper 5.1. This would render the exposed secret useless.\n\n### References\n\n- Commit with fix: https://github.com/doorkeeper-gem/doorkeeper/commit/25d038022c2fcad45af5b73f9d003cf38ff491f6\n- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10187",
  "id": "GHSA-j7vx-8mqj-cqp9",
  "modified": "2021-07-29T16:42:27Z",
  "published": "2020-05-07T21:11:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-j7vx-8mqj-cqp9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10187"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/pull/446"
    },
    {
      "type": "WEB",
      "url": "https://github.com/doorkeeper-gem/doorkeeper/commit/25d038022c2fcad45af5b73f9d003cf38ff491f6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/doorkeeper-gem/doorkeeper/releases"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/doorkeeper/CVE-2020-10187.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Exposure of Sensitive Information to an Unauthorized Actor in Doorkeeper"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.