Advisory Database
  • Advisories
  • Dependency Scanning
  1. golang
  2. ›
  3. github.com/oauth2-proxy/oauth2-proxy/v7
  4. ›
  5. CVE-2021-21291

CVE-2021-21291: URL Redirection to Untrusted Site ('Open Redirect')

May 25, 2021

OAuth2 Proxy is an open-source reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group. In OAuth2 Proxy before version 7.0.0, for users that use the allowlist domain feature, a domain that ended in a similar way to the intended domain could have been allowed as a redirect. For example, if a allowlist domain was configured for “.example.com”, the intention is that subdomains of example.com are allowed. Instead, “example.com” and “badexample.com” could also match. This is fixed in version 7.0.0 onwards. As a workaround, one can disable the allowlist domain feature and run separate OAuth2 Proxy instances for each subdomain.

References

  • github.com/advisories/GHSA-4mf2-f3wh-gvf2
  • github.com/oauth2-proxy/oauth2-proxy/commit/780ae4f3c99b579cb2ea9845121caebb6192f725
  • github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.0.0
  • github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-4mf2-f3wh-gvf2
  • nvd.nist.gov/vuln/detail/CVE-2021-21291
  • pkg.go.dev/github.com/oauth2-proxy/oauth2-proxy/v7

Code Behaviors & Features

Detect and mitigate CVE-2021-21291 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 7.0.0

Fixed versions

  • 7.0.0

Solution

Upgrade to version 7.0.0 or above.

Impact 6.1 MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Learn more about CVSS

Weakness

  • CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

Source file

go/github.com/oauth2-proxy/oauth2-proxy/v7/CVE-2021-21291.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Wed, 14 May 2025 12:14:59 +0000.