Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXJmcTMtdzU0Yy1mOXE1
OAuth2 Redirect URL validity does not respect query parameters and character casing for loopback addresses
Impact
fosite#400 (released as v0.30.2) introduced a new feature for handling redirect URLs pointing to loopback interfaces (rfc8252#section-7.3). As part of that change new behavior was introduced which failed to respect the redirect URL's (only for loopback interfaces!) query parameters
- Registering a client with allowed redirect URL
http://127.0.0.1/callback
- Performing OAuth2 flow and requesting redirect URL
http://127.0.0.1/callback?bar=foo
- Instead of an error, the browser is redirected to
http://127.0.0.1/callback?bar=foo
with a potentially successful OAuth2 response.
as well as the host parameter (as long as the host is a loopback interface):
- Registering a client with allowed redirect URL
https://example.com/callback
- Performing OAuth2 flow and requesting redirect URL
http://127.0.0.1/callback
- Instead of an error, the browser is redirected to
http://127.0.0.1/callback
with a potentially successful OAuth2 response.
These bugs are only applicable in scenarios where the attacker has control over the loopback interface (localhost
, 127.0.0.1
, [::1]
) where the browser performing the OAuth2 flow is running.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXJmcTMtdzU0Yy1mOXE1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: about 1 year ago
CVSS Score: 5.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C
Identifiers: GHSA-rfq3-w54c-f9q5, CVE-2020-15233
References:
- https://github.com/ory/fosite/security/advisories/GHSA-rfq3-w54c-f9q5
- https://nvd.nist.gov/vuln/detail/CVE-2020-15233
- https://github.com/ory/fosite/pull/400
- https://github.com/ory/fosite/commit/cdee51ebe721bfc8acca0fd0b86b030ca70867bf
- https://github.com/advisories/GHSA-rfq3-w54c-f9q5
Blast Radius: 13.3
Affected Packages
go:github.com/ory/fosite
Dependent packages: 157Dependent repositories: 264
Downloads:
Affected Version Ranges: >= 0.30.3, < 0.34.1
Fixed in: 0.34.1
All affected versions: 0.30.3, 0.30.4, 0.30.5, 0.30.6, 0.31.0, 0.31.1, 0.31.2, 0.31.3, 0.32.0, 0.32.1, 0.32.2, 0.32.3, 0.32.4, 0.33.0, 0.34.0
All unaffected versions: 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.4.0, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.6.9, 0.6.10, 0.6.11, 0.6.12, 0.6.13, 0.6.14, 0.6.15, 0.6.17, 0.6.18, 0.6.19, 0.7.0, 0.8.0, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.10.0, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.12.0, 0.13.0, 0.13.1, 0.14.0, 0.14.1, 0.14.2, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.15.4, 0.15.5, 0.15.6, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.16.4, 0.16.5, 0.17.0, 0.17.1, 0.17.2, 0.18.0, 0.18.1, 0.19.0, 0.19.1, 0.19.2, 0.19.3, 0.19.4, 0.19.5, 0.19.6, 0.19.7, 0.19.8, 0.20.0, 0.20.1, 0.20.2, 0.20.3, 0.21.0, 0.21.1, 0.21.2, 0.21.3, 0.21.4, 0.21.5, 0.22.0, 0.23.0, 0.24.0, 0.25.0, 0.25.1, 0.26.0, 0.26.1, 0.27.0, 0.27.1, 0.27.2, 0.27.3, 0.27.4, 0.28.0, 0.28.1, 0.29.0, 0.29.1, 0.29.2, 0.29.3, 0.29.4, 0.29.5, 0.29.6, 0.29.7, 0.29.8, 0.30.0, 0.30.1, 0.30.2, 0.34.1, 0.35.0, 0.35.1, 0.36.0, 0.36.1, 0.37.0, 0.38.0, 0.39.0, 0.40.0, 0.40.1, 0.40.2, 0.41.0, 0.42.0, 0.42.1, 0.42.2, 0.43.0, 0.44.0, 0.45.0