CVE-2020-10187

Name of the Vulnerable Software and Affected Versions Doorkeeper versions 5.0.0 through 5.0.2 Doorkeeper versions 5.1.0 through 5.1.0 Doorkeeper versions 5.2.0 through 5.2.4 Doorkeeper versions 5.3.0 through 5.3.1

Description The issue allows an attacker to retrieve the client secret intended only for the OAuth application owner. After authorizing the application and allowing access, the attacker can request the list of their authorized applications in a JSON format, usually via the "GET /oauth/authorized applications.json" endpoint. This is possible if the authorized applications controller is enabled, allowing the attacker to see all Doorkeeper::Application model attribute values, including secrets.

Recommendations For Doorkeeper versions 5.0.0 through 5.0.2, update to version 5.0.3 or later. For Doorkeeper versions 5.1.0 through 5.1.0, update to version 5.1.1 or later. For Doorkeeper versions 5.2.0 through 5.2.4, update to version 5.2.5 or later. For Doorkeeper versions 5.3.0 through 5.3.1, update to version 5.3.2 or later. As a temporary workaround, consider patching the Doorkeeper::Application model #as json(options = {}) method to define only those attributes you want to expose. Enable application secrets hashing, available since Doorkeeper 5.1, to render the exposed secret useless.