Source: ruby-doorkeeper Version: 5.0.2-2 Severity: grave Tags: security upstream
Hi, The following vulnerability was published for ruby-doorkeeper. CVE-2020-10187[0]: | Doorkeeper version 5.0.0 and later contains an information disclosure | vulnerability that allows an attacker to retrieve the client secret | only intended for the OAuth application owner. After authorizing the | application and allowing access, the attacker simply needs to request | the list of their authorized applications in a JSON format (usually | GET /oauth/authorized_applications.json). An application is vulnerable | if the authorized applications controller is enabled. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-10187 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10187 [1] https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-j7vx-8mqj-cqp9 [2] https://github.com/doorkeeper-gem/doorkeeper/commit/25d038022c2fcad45af5b73f9d003cf38ff491f6 Please adjust the affected versions in the BTS as needed. It is said that it only affects versions >= 5.0.0, but this needs to be checked yet (and why). Regards, Salvatore
