CVE-2020-10187 in Doorkeeper
Summary
by MITRE
Doorkeeper version 5.0.0 and later contains an information disclosure vulnerability that allows an attacker to retrieve the client secret only intended for the OAuth application owner. After authorizing the application and allowing access, the attacker simply needs to request the list of their authorized applications in a JSON format (usually GET /oauth/authorized_applications.json). An application is vulnerable if the authorized applications controller is enabled.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/05/2020
The vulnerability described in CVE-2020-10187 represents a critical information disclosure flaw within the Doorkeeper OAuth implementation that affects versions 5.0.0 and later. This security weakness stems from improper access controls within the OAuth authorization framework, specifically within the authorized applications controller component. The vulnerability enables unauthorized access to sensitive client secrets that should remain confidential to the legitimate application owner. The flaw manifests when an attacker exploits the GET /oauth/authorized_applications.json endpoint to enumerate authorized applications and their associated credentials.
The technical mechanism behind this vulnerability involves a failure in authentication and authorization checks within the Doorkeeper gem's implementation. When users authorize OAuth applications, the system maintains a record of these authorizations including associated client secrets. However, the vulnerable implementation allows any authenticated user to retrieve this information through the JSON endpoint without proper access validation. This represents a direct violation of the principle of least privilege and demonstrates a clear breakdown in the OAuth security model. The vulnerability is classified under CWE-200 as "Information Disclosure" and aligns with ATT&CK technique T1528 for "Steal Application Access Token" and T1071.101 for "Application Layer Protocol: Web Protocols" in its exploitation methods.
The operational impact of this vulnerability extends beyond simple information disclosure, as client secrets represent critical credentials that can be used to impersonate legitimate applications within the OAuth ecosystem. An attacker who successfully exploits this vulnerability gains the ability to make unauthorized requests on behalf of the affected applications, potentially leading to data breaches, unauthorized access to user accounts, and compromise of the entire OAuth authorization chain. The vulnerability affects any application using Doorkeeper 5.0.0 or later where the authorized applications controller is enabled, making it particularly widespread within the Ruby on Rails ecosystem. Organizations using Doorkeeper for OAuth implementation face significant risk of credential compromise and potential lateral movement within their systems.
Mitigation strategies for CVE-2020-10187 require immediate attention through software updates to versions that address the information disclosure vulnerability. Organizations should ensure their Doorkeeper gem is updated to the latest patched version that properly validates access controls for the authorized applications endpoint. Additionally, administrators should implement network-level controls to restrict access to sensitive endpoints and consider disabling the authorized applications controller if it is not essential for their operational requirements. The implementation of proper input validation and access control checks should be enforced throughout the application's OAuth handling components. Security monitoring should be enhanced to detect unusual access patterns to OAuth endpoints, and regular security assessments should be conducted to identify similar vulnerabilities in other authentication components. Organizations should also review their OAuth implementation practices and ensure that client secrets are properly protected through secure storage mechanisms and access controls, as outlined in NIST SP 800-63B and ISO/IEC 29110 security standards.