Vulnerability Details : CVE-2022-36087
OAuthLib is an implementation of the OAuth request-signing logic for Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker providing malicious redirect uri can cause denial of service. An attacker can also leverage usage of `uri_validate` functions depending where it is used. OAuthLib applications using OAuth2.0 provider support or use directly `uri_validate` are affected by this issue. Version 3.2.1 contains a patch. There are no known workarounds.
Vulnerability category: Open redirectInput validationDenial of service
Products affected by CVE-2022-36087
- cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
- cpe:2.3:a:oauthlib_project:oauthlib:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-36087
0.27%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 67 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-36087
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
2.8
|
3.6
|
NIST | |
5.7
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H |
2.1
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2022-36087
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: security-advisories@github.com (Primary)
-
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.Assigned by: nvd@nist.gov (Secondary)
References for CVE-2022-36087
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYLYHE5HWF6R2CRLJFUK4PILR47WXOE/
[SECURITY] Fedora 37 Update: python-oauthlib-3.2.1-1.fc37 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://github.com/oauthlib/oauthlib/blob/d4bafd9f1d0eba3766e933b1ac598cbbf37b8914/oauthlib/oauth2/rfc6749/grant_types/base.py#L232
oauthlib/base.py at d4bafd9f1d0eba3766e933b1ac598cbbf37b8914 · oauthlib/oauthlib · GitHubExploit;Third Party Advisory
-
https://github.com/oauthlib/oauthlib/commit/2e40b412c844ecc4673c3fa3f72181f228bdbacd
Merge pull request from GHSA-3pgj-pg6c-r5p7 · oauthlib/oauthlib@2e40b41 · GitHubPatch;Third Party Advisory
-
https://github.com/oauthlib/oauthlib/security/advisories/GHSA-3pgj-pg6c-r5p7
DoS when attacker provide malicious IPV6 URI · Advisory · oauthlib/oauthlib · GitHubExploit;Mitigation;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X2CQZM5CKOUM4GW2GTAPQEQFPITQ6F7S/
[SECURITY] Fedora 39 Update: python-oauthlib-3.2.2-1.fc39 - package-announce - Fedora Mailing-Lists
-
https://github.com/oauthlib/oauthlib/releases/tag/v3.2.1
Release 3.2.1 · oauthlib/oauthlib · GitHubThird Party Advisory
-
https://github.com/oauthlib/oauthlib/blob/2b8a44855a51ad5a5b0c348a08c2564a2e197ea2/oauthlib/uri_validate.py
oauthlib/uri_validate.py at 2b8a44855a51ad5a5b0c348a08c2564a2e197ea2 · oauthlib/oauthlib · GitHubExploit;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LXOPIA6M57CFQPUT6HHSNXCTV6QA3UDI/
[SECURITY] Fedora 38 Update: python-oauthlib-3.2.2-1.fc38 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NBCQJR3ZF7FVNTJYRVPVSQEQRAYZIUHU/
[SECURITY] Fedora 37 Update: python-oauthlib-3.2.2-1.fc37 - package-announce - Fedora Mailing-Lists
Jump to