Vulnerability Details : CVE-2021-21291
OAuth2 Proxy is an open-source reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group. In OAuth2 Proxy before version 7.0.0, for users that use the whitelist domain feature, a domain that ended in a similar way to the intended domain could have been allowed as a redirect. For example, if a whitelist domain was configured for ".example.com", the intention is that subdomains of example.com are allowed. Instead, "example.com" and "badexample.com" could also match. This is fixed in version 7.0.0 onwards. As a workaround, one can disable the whitelist domain feature and run separate OAuth2 Proxy instances for each subdomain.
Vulnerability category: Open redirect
Products affected by CVE-2021-21291
- cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-21291
0.13%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 47 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-21291
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:N |
8.6
|
4.9
|
NIST | |
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST | |
4.7
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N |
1.6
|
2.7
|
GitHub, Inc. |
CWE ids for CVE-2021-21291
-
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.Assigned by: security-advisories@github.com (Primary)
References for CVE-2021-21291
-
https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.0.0
Release v7.0.0 · oauth2-proxy/oauth2-proxy · GitHubRelease Notes;Third Party Advisory
-
https://github.com/oauth2-proxy/oauth2-proxy/commit/780ae4f3c99b579cb2ea9845121caebb6192f725
Merge pull request from GHSA-4mf2-f3wh-gvf2 · oauth2-proxy/oauth2-proxy@780ae4f · GitHubPatch;Third Party Advisory
-
https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-4mf2-f3wh-gvf2
Subdomain checking of whitelisted domains could allow unintended redirects · Advisory · oauth2-proxy/oauth2-proxy · GitHubExploit;Third Party Advisory
-
https://pkg.go.dev/github.com/oauth2-proxy/oauth2-proxy/v7
oauth2-proxy · pkg.go.devProduct;Third Party Advisory
Jump to