CVE-2020-5233 — Open Redirect in Oauth2 Proxy

CWE-601 — Open Redirect3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

0.3%

top 47.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pusher Oauth2 Proxy Github.com Oauth2-proxy Oauth2-proxy Oauth2 Proxy Project Oauth2 Proxy

Timeline

PublishedJan 30

Latest updateDec 20

Description

OAuth2 Proxy before 5.0 has an open redirect vulnerability. Authentication tokens could be silently harvested by an attacker. This has been patched in version 5.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶CVEListV5pusher/oauth2_proxy< 5.0.0

▶NVDoauth2_proxy_project/oauth2_proxy< 5.0.0

▶Gogithub.com/oauth2-proxy_oauth2-proxy< 5.0.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

The pattern '/\domain.com' is not disallowed when redirecting, allowing for open redirect↗2021-12-20

▶

OSV

The pattern '/\domain.com' is not disallowed when redirecting, allowing for open redirect↗2021-12-20

▶