CVE-2022-36087 — Improper Input Validation in Project Oauthlib

CWE-20 — Improper Input Validation CWE-601 — Open Redirect8 documents7 sources

Severity

6.5MEDIUMNVD

EPSS

0.4%

top 41.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Oauthlib Project Oauthlib Oauthlib Debian Python-oauthlib +1 more

Timeline

PublishedSep 9

Latest updateAug 2

Description

OAuthLib is an implementation of the OAuth request-signing logic for Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker providing malicious redirect uri can cause denial of service. An attacker can also leverage usage of `uri_validate` functions depending where it is used. OAuthLib applications using OAuth2.0 provider support or use directly `uri_validate` are affected by this issue. Version 3.2.1 contains a patch. There are no known workarounds.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/python-oauthlib< python-oauthlib 3.2.1-1 (bookworm)

▶PyPIoauthlib/oauthlib3.1.1 — 3.2.2

▶NVDoauthlib_project/oauthlib3.1.1 — 3.2.1

▶CVEListV5oauthlib/oauthlib>= 3.1.1, < 3.2.1

Also affects: Fedora 37

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

OAuthLib vulnerable to DoS when attacker provides malicious IPV6 URI↗2022-09-16

▶

GHSA

OAuthLib vulnerable to DoS when attacker provides malicious IPV6 URI↗2022-09-16

▶

OSV

CVE-2022-36087: OAuthLib is an implementation of the OAuth request-signing logic for Python 3↗2022-09-09

▶

📋Vendor Advisories

Ubuntu

OAuthLib vulnerability↗2022-09-22

▶

Red Hat

python-oauthlib: DoS when attacker provides malicious IPV6 URI↗2022-09-09

▶

Debian

CVE-2022-36087: python-oauthlib - OAuthLib is an implementation of the OAuth request-signing logic for Python 3.6+...↗2022

▶

📄Research Papers

arXiv

Unified Singular Protocol Flow for OAuth (USPFO) Ecosystem↗2023-08-02

▶