| id: GO-ID-PENDING |
| modules: |
| - module: github.com/oauth2-proxy/oauth2-proxy |
| versions: |
| - introduced: 5.1.1 |
| fixed: 6.0.0 |
| summary: Open Redirect in OAuth2 Proxy in github.com/oauth2-proxy/oauth2-proxy |
| description: |- |
| ### Impact As users can provide a redirect address for the proxy to send the |
| authenticated user to at the end of the authentication flow. This is expected to |
| be the original URL that the user was trying to access. This redirect URL is |
| checked within the proxy and validated before redirecting the user to prevent |
| malicious actors providing redirects to potentially harmful sites. |
| cves: |
| - CVE-2020-4037 |
| ghsas: |
| - GHSA-5m6c-jp6f-2vcv |
| references: |
| - advisory: https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5m6c-jp6f-2vcv |
| - fix: https://github.com/oauth2-proxy/oauth2-proxy/commit/ee5662e0f5001d76ec76562bb605abbd07c266a2 |
| - web: https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v6.0.0 |
| notes: |
| - lint: 'description: possible markdown formatting (found ### )' |
| - lint: 'modules[0] "github.com/oauth2-proxy/oauth2-proxy": 2 versions do not exist: 5.1.1, 6.0.0' |
| source: |
| id: GHSA-5m6c-jp6f-2vcv |
