CVE-2020-10187
HIGH7.5EPSS 0.43%Exposure of Sensitive Information to an Unauthorized Actor in Doorkeeper
發布日:2020/5/7修改日:2026/4/28
描述
Doorkeeper version 5.0.0 and later contains an information disclosure vulnerability that allows an attacker to retrieve the client secret only intended for the OAuth application owner. After authorizing the application and allowing access, the attacker simply needs to request the list of their authorized applications in a JSON format (usually GET /oauth/authorized_applications.json). An application is vulnerable if the authorized applications controller is enabled.
受影響套件(2)
- Debian/ruby-doorkeeperfrom 0, < 5.0.3-1
- RubyGems/doorkeeper>= 5.0.0, < 5.0.3
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-10187
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2020-10187
- WEBhttps://github.com/doorkeeper-gem/doorkeeper/commit/25d038022c2fcad45af5b73f9d003cf38ff491f6
- WEBhttps://github.com/doorkeeper-gem/doorkeeper/releases
- WEBhttps://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-j7vx-8mqj-cqp9
- WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/doorkeeper/CVE-2020-10187.yml
- WEBhttps://github.com/rubysec/ruby-advisory-db/pull/446