CVE-2021-21411Incorrect Authorization in Oauth2-proxy Oauth2-proxy V7

CWE-863Incorrect AuthorizationCWE-285Improper Authorization5 documents4 sources
Severity
5.5MEDIUMNVD
EPSS
0.2%
top 55.26%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Oauth2-proxy Oauth2-proxy V7Oauth2 Proxy Project Oauth2 ProxyOauth2-proxy+1 more
Timeline
PublishedMar 26
Latest updateAug 11

Description

OAuth2-Proxy is an open source reverse proxy that provides authentication with Google, Github or other providers. The `--gitlab-group` flag for group-based authorization in the GitLab provider stopped working in the v7.0.0 release. Regardless of the flag settings, authorization wasn't restricted. Additionally, any authenticated users had whichever groups were set in `--gitlab-group` added to the new `X-Forwarded-Groups` header to the upstream application. While adding GitLab project based author

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

gitlabgitlab/gitlab
CVEListV5oauth2-proxy/oauth2-proxy>= 7.0.0, < 7.1.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
OAuth2-Proxy's `--gitlab-group` GitLab Group Authorization config flag stopped working in v7.0.0 in github.com/oauth2-proxy/oauth2-proxy2025-08-11
OSV
OAuth2-Proxy's `--gitlab-group` GitLab Group Authorization config flag stopped working in v7.0.02025-07-30
GHSA
OAuth2-Proxy's `--gitlab-group` GitLab Group Authorization config flag stopped working in v7.0.02025-07-30

📋Vendor Advisories

1
GitLab
CVE-2021-21411: OAuth2-Proxy is an open source reverse proxy that provides authentication with Google, Github or other providers. The `--gitlab-group` flag for group-2021-03-26