CVE-2020-10187

{"id": "CVE-2020-10187", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2020-05-04T14:15:13.013", "references": [{"url": "https://github.com/doorkeeper-gem/doorkeeper/commit/25d038022c2fcad45af5b73f9d003cf38ff491f6", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/doorkeeper-gem/doorkeeper/releases", "tags": ["Release Notes", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-j7vx-8mqj-cqp9", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/rubysec/ruby-advisory-db/pull/446", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "Doorkeeper version 5.0.0 and later contains an information disclosure vulnerability that allows an attacker to retrieve the client secret only intended for the OAuth application owner. After authorizing the application and allowing access, the attacker simply needs to request the list of their authorized applications in a JSON format (usually GET /oauth/authorized_applications.json). An application is vulnerable if the authorized applications controller is enabled."}, {"lang": "es", "value": "Doorkeeper versi\u00f3n 5.0.0 y posteriores, contienen una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n que permite a un atacante recuperar el secreto del cliente previsto \u00fanicamente para el propietario de la aplicaci\u00f3n OAuth. Despu\u00e9s de autorizar la aplicaci\u00f3n y permitir el acceso, el atacante simplemente necesita solicitar la lista de sus aplicaciones autorizadas en un formato JSON (normalmente GET /oauth/authorized_applications.json). Una aplicaci\u00f3n es vulnerable si el controlador de aplicaciones autorizadas est\u00e1 habilitado."}], "lastModified": "2021-07-21T11:39:23.747", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:doorkeeper_project:doorkeeper:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "45324471-B8B5-4BD5-88D8-FDADD7068460", "versionEndExcluding": "5.0.3", "versionStartIncluding": "5.0.0"}, {"criteria": "cpe:2.3:a:doorkeeper_project:doorkeeper:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "396ABBC9-1CC7-4E2C-96AA-784425C3316D", "versionEndExcluding": "5.1.1", "versionStartIncluding": "5.1.0"}, {"criteria": "cpe:2.3:a:doorkeeper_project:doorkeeper:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "FB61DD54-2340-4B7D-B370-E82E4AA88A1F", "versionEndExcluding": "5.2.5", "versionStartIncluding": "5.2.0"}, {"criteria": "cpe:2.3:a:doorkeeper_project:doorkeeper:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "A79B9E86-2EBC-4452-BCAF-6180E3AB37C7", "versionEndExcluding": "5.3.2", "versionStartIncluding": "5.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}