Subdomain checking of whitelisted domains could allow unintended redirects

OAuth2 Proxy is an open-source reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group. In OAuth2 Proxy before version 7.0.0, for users that use the whitelist domain feature, a domain that ended in a similar way to the intended domain could have been allowed as a redirect. For example, if a whitelist domain was configured for ".example.com", the intention is that subdomains of example.com are allowed. Instead, "example.com" and "badexample.com" could also match. This is fixed in version 7.0.0 onwards. As a workaround, one can disable the whitelist domain feature and run separate OAuth2 Proxy instances for each subdomain.

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

指向未可信站点的URL重定向(开放重定向)

OAuth2 Proxy 输入验证错误漏洞

OAuth2 Proxy是一款能够提供与Google、Github或其他提供商进行身份验证的反向代理。 OAuth2 Proxy 存在安全漏洞，该漏洞源于允许以类似于预期域的方式结束的域作为重定向。

N/A

N/A