CVE-2020-15234: URL Redirection to Untrusted Site (Open Redirect)

October 2, 2020 (updated November 18, 2021)

ORY Fosite is a security first OAuth2 & OpenID Connect framework for Go. In Fosite, the OAuth Client’s registered redirect URLs and the redirect URL provided at the OAuth2 Authorization Endpoint where compared using strings.ToLower while they should have been compared with a simple string match. This allows an attacker to register a client with allowed redirect URL.

References

nvd.nist.gov/vuln/detail/CVE-2020-15234

Detect and mitigate CVE-2020-15234 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →