Exposure of Sensitive Information to an Unauthorized Actor in Doorkeeper

GHSA-j7vx-8mqj-cqp9 · CVE-2020-10187

Published May 7, 2020 · Modified Mar 13, 2026

Description

Impact

Information disclosure vulnerability. Allows an attacker to see all Doorkeeper::Application model attribute values (including secrets) using authorized applications controller if it's enabled (GET /oauth/authorized_applications.json).

Patches

These versions have the fix:

5.0.3
5.1.1
5.2.5
5.3.2

Workarounds

Patch Doorkeeper::Application model #as_json(options = {}) method and define only those attributes you want to expose.

Additional recommended hardening is to enable application secrets hashing (guide), available since Doorkeeper 5.1. This would render the exposed secret useless.

References

Commit with fix: https://github.com/doorkeeper-gem/doorkeeper/commit/25d038022c2fcad45af5b73f9d003cf38ff491f6
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10187

References

WEB https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-j7vx-8mqj-cqp9
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2020-10187
WEB https://github.com/rubysec/ruby-advisory-db/pull/446
WEB https://github.com/doorkeeper-gem/doorkeeper/commit/25d038022c2fcad45af5b73f9d003cf38ff491f6
WEB https://github.com/doorkeeper-gem/doorkeeper/releases
WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/doorkeeper/CVE-2020-10187.yml

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes