oauth2-proxy package, versions <7.0.0

Attack Complexity

Low
User Interaction

Required

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

snyk-id

SNYK-GOLANG-GITHUBCOMOAUTH2PROXYOAUTH2PROXY-1069935
published

3 Feb 2021
disclosed

3 Feb 2021
credit

Sergio Morales

Report a new vulnerability Found a mistake?

Introduced: 3 Feb 2021

CVE-2021-21291 Open this link in a new tab CWE-601 Open this link in a new tab

How to fix?

Upgrade github.com/oauth2-proxy/oauth2-proxy to version 7.0.0 or higher.

Overview

github.com/oauth2-proxy/oauth2-proxy is a reverse proxy that provides authentication with Google, Github or other providers.

Affected versions of this package are vulnerable to Open Redirect. For users that use the whitelist domain feature, a domain that ended in a similar way to the intended domain could have been allowed as a redirect.

For example, if a whitelist domain was configured for .example.com, the intention is that subdomains of example.com are allowed. Instead, example.com and badexample.com could also match.

Open Redirect Affecting github.com/oauth2-proxy/oauth2-proxy package, versions <7.0.0

Attack Complexity

User Interaction

snyk-id

published

disclosed

credit

Introduced: 3 Feb 2021

How to fix?

Overview

References