CVE-2021-21291
MEDIUM5.4EPSS 0.24%Subdomain checking of whitelisted domains could allow unintended redirects in oauth2-proxy
Description
### Impact _What kind of vulnerability is it? Who is impacted?_ For users that use the whitelist domain feature, a domain that ended in a similar way to the intended domain could have been allowed as a redirect. For example, if a whitelist domain was configured for `.example.com`, the intention is that subdomains of `example.com` are allowed. Instead, `example.com` and `badexample.com` could also match. ### Patches _Has the problem been patched? What versions should users upgrade to?_ This is fixed in version 7.0.0 onwards. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Disable the whitelist domain feature and run separate OAuth2 Proxy instances for each subdomain. # Original Issue Posted by @semoac: Whitelist Domain feature is not working as expected because is not matching a dot to ensure the redirect is a subdomain. ## Expected Behavior If whitelist domain is set to `.example.com` , then `hack.alienexample.com` should be rejected as a valid redirect. ## Current Behavior The code is removing the `dot` from `.example.com` and only checking if the redirect string end with `example.com` ## Possible Solution Here https://github.com/oauth2-proxy/oauth2-proxy/blob/c377466411f2aee180a732187edb638f2f7e57fb/oauthproxy.go#L661 Include the dot when checking the string: ``` strings.HasSuffix(redirectHostname, "." + domainHostname) ``` ## Steps to Reproduce (for bugs) ``` package main import ( "fmt" "strings" ) func validOptionalPort(port string) bool { if port == "" || port == ":*" { return true } if port[0] != ':' { return false } for _, b := range port[1:] { if b < '0' || b > '9' { return false } } return true } func splitHostPort(hostport string) (host, port string) { host = hostport colon := strings.LastIndexByte(host, ':') if colon != -1 && validOptionalPort(host[colon:]) { host, port = host[:colon], host[colon+1:] } if strings.HasPrefix(host, "[") && strings.HasSuffix(host, "]") { host = host[1 : len(host)-1] } return } func main() { domain := ".example.com" domainHostname, _ := splitHostPort(strings.TrimLeft(domain, ".")) redirectHostname := "https://hack.alienexample.com" if (strings.HasPrefix(domain, ".") && strings.HasSuffix(redirectHostname, domainHostname)) { fmt.Println("This should not have happen.")} } ``` Users of `github.com/oauth2-proxy/oauth2-proxy` are advised to update to `github.com/oauth2-proxy/oauth2-proxy/v7`
Affected packages (5)
- Bitnami/oauth2-proxyfrom 0, < 7.0.0
- Go/github.com/oauth2-proxy/oauth2-proxyfrom 0, <= 3.2.0
- Go/github.com/oauth2-proxy/oauth2-proxyfrom 0
- Go/github.com/oauth2-proxy/oauth2-proxy/v7from 0, < 7.0.0
- Go/github.com/oauth2-proxy/oauth2-proxy/v7from 0, < 7.0.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-21291
- WEBhttps://github.com/oauth2-proxy/oauth2-proxy/commit/780ae4f3c99b579cb2ea9845121caebb6192f725
- WEBhttps://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.0.0
- WEBhttps://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-4mf2-f3wh-gvf2
- WEBhttps://pkg.go.dev/github.com/oauth2-proxy/oauth2-proxy/v7