Open Redirect Affecting github.com/pusher/oauth2_proxy package, versions <5.0.0


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.29% (52nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Open Redirect vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-GOLANG-GITHUBCOMPUSHEROAUTH2PROXY-543837
  • published31 Jan 2020
  • disclosed30 Jan 2020
  • creditUnknown

Introduced: 30 Jan 2020

CVE-2020-5233  (opens in a new tab)
CWE-601  (opens in a new tab)

How to fix?

Upgrade github.com/pusher/oauth2_proxy to version 5.0.0 or higher.

Overview

github.com/pusher/oauth2_proxy is a reverse proxy that provides authentication with Google, Github or other providers.

Affected versions of this package are vulnerable to Open Redirect. The pattern '/\domain.com' is not disallowed when redirecting, allowing for open redirect. Authentication tokens could be silently harvested by an attacker.

CVSS Base Scores

version 3.1