Описание
Doorkeeper version 5.0.0 and later contains an information disclosure vulnerability that allows an attacker to retrieve the client secret only intended for the OAuth application owner. After authorizing the application and allowing access, the attacker simply needs to request the list of their authorized applications in a JSON format (usually GET /oauth/authorized_applications.json). An application is vulnerable if the authorized applications controller is enabled.
Ссылки
- PatchThird Party Advisory
- Release NotesThird Party Advisory
- PatchThird Party Advisory
- PatchThird Party Advisory
- PatchThird Party Advisory
- Release NotesThird Party Advisory
- PatchThird Party Advisory
- PatchThird Party Advisory
Уязвимые конфигурации
Одно из
EPSS
7.5 High
CVSS3
4.3 Medium
CVSS2
Дефекты
Связанные уязвимости
Doorkeeper version 5.0.0 and later contains an information disclosure vulnerability that allows an attacker to retrieve the client secret only intended for the OAuth application owner. After authorizing the application and allowing access, the attacker simply needs to request the list of their authorized applications in a JSON format (usually GET /oauth/authorized_applications.json). An application is vulnerable if the authorized applications controller is enabled.
Doorkeeper version 5.0.0 and later contains an information disclosure ...
Exposure of Sensitive Information to an Unauthorized Actor in Doorkeeper
EPSS
7.5 High
CVSS3
4.3 Medium
CVSS2