| id: GO-2022-0790 |
| modules: |
| - module: github.com/oauth2-proxy/oauth2-proxy |
| unsupported_versions: |
| - last_affected: 3.2.0 |
| vulnerable_at: 3.2.0+incompatible |
| - module: github.com/oauth2-proxy/oauth2-proxy/v7 |
| versions: |
| - fixed: 7.0.0 |
| summary: |- |
| Subdomain checking of whitelisted domains could allow unintended redirects in |
| oauth2-proxy in github.com/oauth2-proxy/oauth2-proxy |
| cves: |
| - CVE-2021-21291 |
| ghsas: |
| - GHSA-4mf2-f3wh-gvf2 |
| references: |
| - advisory: https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-4mf2-f3wh-gvf2 |
| - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-21291 |
| - fix: https://github.com/oauth2-proxy/oauth2-proxy/commit/780ae4f3c99b579cb2ea9845121caebb6192f725 |
| - web: https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.0.0 |
| - web: https://pkg.go.dev/github.com/oauth2-proxy/oauth2-proxy/v7 |
| notes: |
| - fix: 'github.com/oauth2-proxy/oauth2-proxy/v7: could not add vulnerable_at: could not find tagged version between introduced and fixed' |
| source: |
| id: GHSA-4mf2-f3wh-gvf2 |
| created: 2024-08-20T14:14:59.754129-04:00 |
| review_status: UNREVIEWED |
| unexcluded: NOT_IMPORTABLE |
