CVE-2020-10187 — HIGH (7.5)

Q: How severe is CVE-2020-10187?

CVE-2020-10187 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-10187?

Check the references section above for vendor advisories and patch information. Affected products include: Doorkeeper Project Doorkeeper.

Vulnerability Description

Doorkeeper version 5.0.0 and later contains an information disclosure vulnerability that allows an attacker to retrieve the client secret only intended for the OAuth application owner. After authorizing the application and allowing access, the attacker simply needs to request the list of their authorized applications in a JSON format (usually GET /oauth/authorized_applications.json). An application is vulnerable if the authorized applications controller is enabled.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Doorkeeper Project	Doorkeeper	>= 5.0.0, < 5.0.3

Related Weaknesses (CWE)

CWE-862

References

https://github.com/doorkeeper-gem/doorkeeper/commit/25d038022c2fcad45af5b73f9d00PatchThird Party Advisory
https://github.com/doorkeeper-gem/doorkeeper/releasesRelease NotesThird Party Advisory
https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-j7vx-8mqj-PatchThird Party Advisory
https://github.com/rubysec/ruby-advisory-db/pull/446PatchThird Party Advisory
https://github.com/doorkeeper-gem/doorkeeper/commit/25d038022c2fcad45af5b73f9d00PatchThird Party Advisory
https://github.com/doorkeeper-gem/doorkeeper/releasesRelease NotesThird Party Advisory
https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-j7vx-8mqj-PatchThird Party Advisory
https://github.com/rubysec/ruby-advisory-db/pull/446PatchThird Party Advisory

FAQ

What is CVE-2020-10187?

CVE-2020-10187 is a vulnerability with a CVSS score of 7.5 (HIGH). Doorkeeper version 5.0.0 and later contains an information disclosure vulnerability that allows an attacker to retrieve the client secret only intended for the OAuth application owner. After authorizi...

How severe is CVE-2020-10187?

CVE-2020-10187 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-10187?

Check the references section above for vendor advisories and patch information. Affected products include: Doorkeeper Project Doorkeeper.