Описание
Exposure of Sensitive Information to an Unauthorized Actor in Doorkeeper
Impact
Information disclosure vulnerability. Allows an attacker to see all Doorkeeper::Application model attribute values (including secrets) using authorized applications controller if it's enabled (GET /oauth/authorized_applications.json).
Patches
These versions have the fix:
- 5.0.3
- 5.1.1
- 5.2.5
- 5.3.2
Workarounds
Patch Doorkeeper::Application model #as_json(options = {}) method and define only those attributes you want to expose.
Additional recommended hardening is to enable application secrets hashing (guide), available since Doorkeeper 5.1. This would render the exposed secret useless.
References
Ссылки
- https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-j7vx-8mqj-cqp9
- https://nvd.nist.gov/vuln/detail/CVE-2020-10187
- https://github.com/rubysec/ruby-advisory-db/pull/446
- https://github.com/doorkeeper-gem/doorkeeper/commit/25d038022c2fcad45af5b73f9d003cf38ff491f6
- https://github.com/doorkeeper-gem/doorkeeper/releases
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/doorkeeper/CVE-2020-10187.yml
Пакеты
doorkeeper
>= 5.0.0, < 5.0.3
5.0.3
doorkeeper
= 5.1.0
5.1.1
doorkeeper
>= 5.2.0, < 5.2.5
5.2.5
doorkeeper
>= 5.3.0, < 5.3.2
5.3.2
Связанные уязвимости
Doorkeeper version 5.0.0 and later contains an information disclosure vulnerability that allows an attacker to retrieve the client secret only intended for the OAuth application owner. After authorizing the application and allowing access, the attacker simply needs to request the list of their authorized applications in a JSON format (usually GET /oauth/authorized_applications.json). An application is vulnerable if the authorized applications controller is enabled.
Doorkeeper version 5.0.0 and later contains an information disclosure vulnerability that allows an attacker to retrieve the client secret only intended for the OAuth application owner. After authorizing the application and allowing access, the attacker simply needs to request the list of their authorized applications in a JSON format (usually GET /oauth/authorized_applications.json). An application is vulnerable if the authorized applications controller is enabled.
Doorkeeper version 5.0.0 and later contains an information disclosure ...