Open Redirect Affecting github.com/oauth2-proxy/oauth2-proxy package, versions <7.0.0


0.0
medium
  • Attack Complexity

    Low

  • User Interaction

    Required

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-GOLANG-GITHUBCOMOAUTH2PROXYOAUTH2PROXY-1069935

  • published

    3 Feb 2021

  • disclosed

    3 Feb 2021

  • credit

    Sergio Morales

How to fix?

Upgrade github.com/oauth2-proxy/oauth2-proxy to version 7.0.0 or higher.

Overview

github.com/oauth2-proxy/oauth2-proxy is a reverse proxy that provides authentication with Google, Github or other providers.

Affected versions of this package are vulnerable to Open Redirect. For users that use the whitelist domain feature, a domain that ended in a similar way to the intended domain could have been allowed as a redirect.

For example, if a whitelist domain was configured for .example.com, the intention is that subdomains of example.com are allowed. Instead, example.com and badexample.com could also match.