GHSA-qqxw-m5fj-f7gv
Suggest an improvement- Source
- https://github.com/advisories/GHSA-qqxw-m5fj-f7gv
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-qqxw-m5fj-f7gv/GHSA-qqxw-m5fj-f7gv.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-qqxw-m5fj-f7gv
- Aliases
- Related
- Published
- 2021-12-20T18:02:38Z
- Modified
- 2023-12-06T01:00:35.764592Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:L CVSS Calculator
- Summary
- The pattern '/\domain.com' is not disallowed when redirecting, allowing for open redirect
- Details
-
Impact
An open redirect vulnerability has been found in
oauth2_proxy. Anyone who usesoauth2_proxymay potentially be impacted.For a context [detectify] have an in depth blog post about the potential impact of an open redirect. Particularly see the OAuth section.
tl;dr: People's authentication tokens could be silently harvested by an attacker. e.g:
facebook.com/oauth.php?clientid=123&state=abc&redirect_url=https://yourdomain.com/red.php?url%3dhttps://attacker.com/Patches
@sauyon found the issue, and has submitted a patch.
diff --git a/oauthproxy.go b/oauthproxy.go index 72ab580..f420df6 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -517,7 +517,7 @@ func (p *OAuthProxy) GetRedirect(req *http.Request) (redirect string, err error) // IsValidRedirect checks whether the redirect URL is whitelisted func (p *OAuthProxy) IsValidRedirect(redirect string) bool { switch { - case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//"): + case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//") && !strings.HasPrefix(redirect, "/\\"): return true case strings.HasPrefix(redirect, "http://") || strings.HasPrefix(redirect, "https://"): redirectURL, err := url.Parse(redirect)This patch will be applied to the next release, which is scheduled for when this is publicly disclosed.
Workarounds
At this stage there is no work around.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-601" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2021-05-24T21:20:17Z" }- References
-
- https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-qqxw-m5fj-f7gv
- https://nvd.nist.gov/vuln/detail/CVE-2020-5233
- https://github.com/oauth2-proxy/oauth2_proxy/commit/a316f8a06f3c0ca2b5fc5fa18a91781b313607b2
- https://blog.detectify.com/2019/05/16/the-real-impact-of-an-open-redirect
- https://github.com/oauth2-proxy/oauth2_proxy/releases/tag/v5.0.0
Affected packages
Go / github.com/oauth2-proxy/oauth2-proxy
Package
- Name
- github.com/oauth2-proxy/oauth2-proxy
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/oauth2-proxy/oauth2-proxy