An open redirect vulnerability that allows users to be targeted for phishing attacks has been found in Sourcegraph instances configured with OAuth, OpenID, or SAML authentication enabled. Users targeted by these phishing attacks could have their authentication tokens silently harvested by an attacker.
github.com/sourcegraph/sourcegraph/cmd/frontend/auth
Sourcegraph v3.14.4 and v3.15.1 have been released which resolve the vulnerability. (associated change)
Disabling OAuth, OpenID and/or SAML sign-in options until upgraded to the patched versions will secure Sourcegraph / workaround the issue.
If you have any questions or comments about this advisory, please contact us at [email protected] and include CVE-2020-12283
in the title.
github.com/sourcegraph/sourcegraph
github.com/sourcegraph/sourcegraph/blob/master/CHANGELOG.md
github.com/sourcegraph/sourcegraph/commit/c0f48172e815c7f66471a38f0a06d1fc32a77a64
github.com/sourcegraph/sourcegraph/compare/v3.15.0...v3.15.1
github.com/sourcegraph/sourcegraph/pull/10167
github.com/sourcegraph/sourcegraph/security/advisories/GHSA-mx43-r985-5h4m
nvd.nist.gov/vuln/detail/CVE-2020-12283
securitylab.github.com/advisories/GHSL-2020-085-sourcegraph