Doorkeeper version 5.0.0 and later contains an information disclosure vulnerability that allows an attacker to retrieve the client secret only intended for the OAuth application owner. After authorizing the application and allowing access, the attacker simply needs to request the list of their authorized applications in a JSON format (usually GET /oauth/authorized_applications.json). An application is vulnerable if the authorized applications controller is enabled.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-05-04T13:19:04

Updated: 2024-08-04T10:58:39.628Z

Reserved: 2020-03-06T00:00:00

Link: CVE-2020-10187

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2020-05-04T14:15:13.013

Modified: 2024-11-21T04:54:55.790

Link: CVE-2020-10187

cve-icon Redhat

No data.