CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
45.1%
An open redirect vulnerability has been found in oauth2_proxy
. Anyone who uses oauth2_proxy
may potentially be impacted.
For a context [detectify] have an in depth blog post about the potential impact of an open redirect. Particularly see the OAuth section.
tl;dr: People’s authentication tokens could be silently harvested by an attacker. e.g:
facebook.com/oauth.php?clientid=123&state=abc&redirect_url=https://yourdomain.com/red.php?url%3dhttps://attacker.com/
@sauyon found the issue, and has submitted a patch.
diff --git a/oauthproxy.go b/oauthproxy.go
index 72ab580..f420df6 100644
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -517,7 +517,7 @@ func (p *OAuthProxy) GetRedirect(req *http.Request) (redirect string, err error)
// IsValidRedirect checks whether the redirect URL is whitelisted
func (p *OAuthProxy) IsValidRedirect(redirect string) bool {
switch {
- case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//"):
+ case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//") && !strings.HasPrefix(redirect, "/\\"):
return true
case strings.HasPrefix(redirect, "http://") || strings.HasPrefix(redirect, "https://"):
redirectURL, err := url.Parse(redirect)
This patch will be applied to the next release, which is scheduled for when this is publicly disclosed.
At this stage there is no work around.
Vendor | Product | Version | CPE |
---|---|---|---|
oauth2-proxy | oauth2-proxy | * | cpe:2.3:a:oauth2-proxy:oauth2-proxy:*:*:*:*:*:*:*:* |
blog.detectify.com/2019/05/16/the-real-impact-of-an-open-redirect/
github.com/advisories/GHSA-qqxw-m5fj-f7gv
github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-qqxw-m5fj-f7gv
github.com/oauth2-proxy/oauth2_proxy/commit/a316f8a06f3c0ca2b5fc5fa18a91781b313607b2
github.com/oauth2-proxy/oauth2_proxy/releases/tag/v5.0.0
nvd.nist.gov/vuln/detail/CVE-2020-5233
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
45.1%