{ "schema_version": "1.4.0", "id": "GHSA-4mf2-f3wh-gvf2", "modified": "2021-05-21T21:37:23Z", "published": "2021-05-25T18:42:20Z", "aliases": [ "CVE-2021-21291" ], "summary": "Subdomain checking of whitelisted domains could allow unintended redirects in oauth2-proxy", "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\nFor users that use the whitelist domain feature, a domain that ended in a similar way to the intended domain could have been allowed as a redirect.\n\nFor example, if a whitelist domain was configured for `.example.com`, the intention is that subdomains of `example.com` are allowed.\nInstead, `example.com` and `badexample.com` could also match.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\nThis is fixed in version 7.0.0 onwards.\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\nDisable the whitelist domain feature and run separate OAuth2 Proxy instances for each subdomain.\n\n# Original Issue Posted by @semoac:\n\nWhitelist Domain feature is not working as expected because is not matching a dot to ensure the redirect is a subdomain.\n\n## Expected Behavior\n\nIf whitelist domain is set to `.example.com` , then `hack.alienexample.com` should be rejected as a valid redirect.\n\n## Current Behavior\n\nThe code is removing the `dot` from `.example.com` and only checking if the redirect string end with `example.com`\n\n## Possible Solution\nHere\nhttps://github.com/oauth2-proxy/oauth2-proxy/blob/c377466411f2aee180a732187edb638f2f7e57fb/oauthproxy.go#L661\n\nInclude the dot when checking the string:\n```\nstrings.HasSuffix(redirectHostname, \".\" + domainHostname)\n```\n\n## Steps to Reproduce (for bugs)\n\n```\npackage main\n\nimport (\n\t\"fmt\"\n\t\"strings\"\n)\n\nfunc validOptionalPort(port string) bool {\n\tif port == \"\" || port == \":*\" {\n\t\treturn true\n\t}\n\tif port[0] != ':' {\n\t\treturn false\n\t}\n\tfor _, b := range port[1:] {\n\t\tif b < '0' || b > '9' {\n\t\t\treturn false\n\t\t}\n\t}\n\treturn true\n}\n\nfunc splitHostPort(hostport string) (host, port string) {\n\thost = hostport\n\n\tcolon := strings.LastIndexByte(host, ':')\n\tif colon != -1 && validOptionalPort(host[colon:]) {\n\t\thost, port = host[:colon], host[colon+1:]\n\t}\n\n\tif strings.HasPrefix(host, \"[\") && strings.HasSuffix(host, \"]\") {\n\t\thost = host[1 : len(host)-1]\n\t}\n\n\treturn\n}\n\nfunc main() {\n\tdomain := \".example.com\"\n\tdomainHostname, _ := splitHostPort(strings.TrimLeft(domain, \".\"))\n\tredirectHostname := \"https://hack.alienexample.com\"\n\tif (strings.HasPrefix(domain, \".\") && strings.HasSuffix(redirectHostname, domainHostname)) { fmt.Println(\"This should not have happen.\")}\n}\n\n```\n\nUsers of `github.com/oauth2-proxy/oauth2-proxy` are advised to update to `github.com/oauth2-proxy/oauth2-proxy/v7`", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" } ], "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/oauth2-proxy/oauth2-proxy/v7" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "7.0.0" } ] } ] }, { "package": { "ecosystem": "Go", "name": "github.com/oauth2-proxy/oauth2-proxy" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "last_affected": "3.2.0" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-4mf2-f3wh-gvf2" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21291" }, { "type": "WEB", "url": "https://github.com/oauth2-proxy/oauth2-proxy/commit/780ae4f3c99b579cb2ea9845121caebb6192f725" }, { "type": "WEB", "url": "https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.0.0" }, { "type": "WEB", "url": "https://pkg.go.dev/github.com/oauth2-proxy/oauth2-proxy/v7" } ], "database_specific": { "cwe_ids": [ "CWE-601" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2021-05-21T21:37:23Z", "nvd_published_at": null } }