Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2020-10187
Analyzed
More InfoOfficial Page
Source-cve@mitre.org
View Known Exploited Vulnerability (KEV) details
Published At-04 May, 2020 | 14:15
Updated At-21 Jul, 2021 | 11:39

Doorkeeper version 5.0.0 and later contains an information disclosure vulnerability that allows an attacker to retrieve the client secret only intended for the OAuth application owner. After authorizing the application and allowing access, the attacker simply needs to request the list of their authorized applications in a JSON format (usually GET /oauth/authorized_applications.json). An application is vulnerable if the authorized applications controller is enabled.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary2.04.3MEDIUM
AV:N/AC:M/Au:N/C:P/I:N/A:N
Type: Primary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Type: Primary
Version: 2.0
Base score: 4.3
Base severity: MEDIUM
Vector:
AV:N/AC:M/Au:N/C:P/I:N/A:N
CPE Matches
doorkeeper_project
doorkeeper_project
>>doorkeeper>>Versions from 5.0.0(inclusive) to 5.0.3(exclusive)
cpe:2.3:a:doorkeeper_project:doorkeeper:*:*:*:*:*:ruby:*:*
doorkeeper_project
doorkeeper_project
>>doorkeeper>>Versions from 5.1.0(inclusive) to 5.1.1(exclusive)
cpe:2.3:a:doorkeeper_project:doorkeeper:*:*:*:*:*:ruby:*:*
doorkeeper_project
doorkeeper_project
>>doorkeeper>>Versions from 5.2.0(inclusive) to 5.2.5(exclusive)
cpe:2.3:a:doorkeeper_project:doorkeeper:*:*:*:*:*:ruby:*:*
doorkeeper_project
doorkeeper_project
>>doorkeeper>>Versions from 5.3.0(inclusive) to 5.3.2(exclusive)
cpe:2.3:a:doorkeeper_project:doorkeeper:*:*:*:*:*:ruby:*:*
Weaknesses
CWE IDTypeSource
CWE-862Primarynvd@nist.gov
CWE ID: CWE-862
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/doorkeeper-gem/doorkeeper/commit/25d038022c2fcad45af5b73f9d003cf38ff491f6cve@mitre.org
Patch
Third Party Advisory
https://github.com/doorkeeper-gem/doorkeeper/releasescve@mitre.org
Release Notes
Third Party Advisory
https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-j7vx-8mqj-cqp9cve@mitre.org
Patch
Third Party Advisory
https://github.com/rubysec/ruby-advisory-db/pull/446cve@mitre.org
Patch
Third Party Advisory
Hyperlink: https://github.com/doorkeeper-gem/doorkeeper/commit/25d038022c2fcad45af5b73f9d003cf38ff491f6
Source: cve@mitre.org
Resource:
Patch
Third Party Advisory
Hyperlink: https://github.com/doorkeeper-gem/doorkeeper/releases
Source: cve@mitre.org
Resource:
Release Notes
Third Party Advisory
Hyperlink: https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-j7vx-8mqj-cqp9
Source: cve@mitre.org
Resource:
Patch
Third Party Advisory
Hyperlink: https://github.com/rubysec/ruby-advisory-db/pull/446
Source: cve@mitre.org
Resource:
Patch
Third Party Advisory
Change History
0Changes found
Details not found