Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTVtNmMtanA2Zi0ydmN2
Open Redirect in OAuth2 Proxy
Impact
As users can provide a redirect address for the proxy to send the authenticated user to at the end of the authentication flow. This is expected to be the original URL that the user was trying to access.
This redirect URL is checked within the proxy and validated before redirecting the user to prevent malicious actors providing redirects to potentially harmful sites.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTVtNmMtanA2Zi0ydmN2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 3 years ago
Updated: almost 2 years ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
EPSS Percentage: 0.00066
EPSS Percentile: 0.30507
Identifiers: GHSA-5m6c-jp6f-2vcv, CVE-2020-4037
References:
- https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5m6c-jp6f-2vcv
- https://nvd.nist.gov/vuln/detail/CVE-2020-4037
- https://github.com/oauth2-proxy/oauth2-proxy/commit/ee5662e0f5001d76ec76562bb605abbd07c266a2
- https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v6.0.0
- https://github.com/advisories/GHSA-5m6c-jp6f-2vcv
Blast Radius: 1.0
Affected Packages
go:github.com/oauth2-proxy/oauth2-proxy
Dependent packages: 1Dependent repositories: 0
Downloads:
Affected Version Ranges: >= 5.1.1, < 6.0.0
Fixed in: 6.0.0
All affected versions:
All unaffected versions: 1.1.1, 2.0.1, 3.0.0, 3.1.0, 3.2.0