Stefansundin

**Name of the Vulnerable Software and Affected Versions** MinIO versions prior to RELEASE.2024-05-27T19-17-46Z **Description** The issue concerns the use of `If-Modified-Since` and `If-Unmodified-Since` headers with anonymous requests, allowing an attacker to determine if an object exists on the server in a specific bucket and gain access to information such as `Last-Modified`, `Etag`, `x-amz-version-id`, `Expires`, and `Cache-Control` metadata values. This conditional check was being honored before validating anonymous access, leading to potential information disclosure. **Recommendations** For MinIO versions prior to RELEASE.2024-05-27T19-17-46Z: Upgrade to RELEASE.2024-05-27T19-17-46Z to fix the issue. As a temporary workaround, consider restricting anonymous access to metadata of objects to minimize the risk of exploitation. Avoid using the `If-Modified-Since` and `If-Unmodified-Since` headers with anonymous requests until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Doorkeeper versions 5.0.0 through 5.0.2 Doorkeeper versions 5.1.0 through 5.1.0 Doorkeeper versions 5.2.0 through 5.2.4 Doorkeeper versions 5.3.0 through 5.3.1 **Description** The issue allows an attacker to retrieve the client secret intended only for the OAuth application owner. After authorizing the application and allowing access, the attacker can request the list of their authorized applications in a JSON format, usually via the "GET /oauth/authorized applications.json" endpoint. This is possible if the authorized applications controller is enabled, allowing the attacker to see all `Doorkeeper::Application` model attribute values, including secrets. **Recommendations** For Doorkeeper versions 5.0.0 through 5.0.2, update to version 5.0.3 or later. For Doorkeeper versions 5.1.0 through 5.1.0, update to version 5.1.1 or later. For Doorkeeper versions 5.2.0 through 5.2.4, update to version 5.2.5 or later. For Doorkeeper versions 5.3.0 through 5.3.1, update to version 5.3.2 or later. As a temporary workaround, consider patching the `Doorkeeper::Application` model `#as json(options = {})` method to define only those attributes you want to expose. Enable application secrets hashing, available since Doorkeeper 5.1, to render the exposed secret useless.