Attacker providing malicious redirect uri can cause DoS to oauthlib's web application.
Attacker can also leverage usage of uri_validate functions depending where it is used.
What kind of vulnerability is it? Who is impacted?
Oauthlib applications using OAuth2.0 provider support or use directly uri_validate function.
Patches
Has the problem been patched? What versions should users upgrade to?
Issue fixed in 3.2.2 release.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
The redirect_uri can be verified in web toolkit (i.e bottle-oauthlib, django-oauth-toolkit, ...) before oauthlib is called. A sample check if : is present to reject the request can prevent the DoS, assuming no port or IPv6 is fundamentally required.
This PR contains the following updates:
==3.2.0->==3.2.2GitHub Vulnerability Alerts
CVE-2022-36087
Impact
uri_validatefunctions depending where it is used.What kind of vulnerability is it? Who is impacted?
Oauthlib applications using OAuth2.0 provider support or use directly
uri_validatefunction.Patches
Has the problem been patched? What versions should users upgrade to?
Issue fixed in 3.2.2 release.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
The
redirect_urican be verified in web toolkit (i.ebottle-oauthlib,django-oauth-toolkit, ...) before oauthlib is called. A sample check if:is present to reject the request can prevent the DoS, assuming no port or IPv6 is fundamentally required.References
Attack Vector:
uri_validatefunctions: https://github.com/oauthlib/oauthlib/blob/2b8a44855a51ad5a5b0c348a08c2564a2e197ea2/oauthlib/uri_validate.pyPoC
Acknowledgement
Special thanks to Sebastian Chnelik - PyUp.io
Release Notes
oauthlib/oauthlib (oauthlib)
### [`v3.2.2`](https://togithub.com/oauthlib/oauthlib/blob/HEAD/CHANGELOG.rst#322-2022-10-17) [Compare Source](https://togithub.com/oauthlib/oauthlib/compare/v3.2.1...v3.2.2) OAuth2.0 Provider: - CVE-2022-36087 ### [`v3.2.1`](https://togithub.com/oauthlib/oauthlib/blob/HEAD/CHANGELOG.rst#321-2022-09-09) [Compare Source](https://togithub.com/oauthlib/oauthlib/compare/v3.2.0...v3.2.1) OAuth2.0 Provider: - [#803](https://togithub.com/oauthlib/oauthlib/issues/803): Metadata endpoint support of non-HTTPS OAuth1.0: - [#818](https://togithub.com/oauthlib/oauthlib/issues/818): Allow IPv6 being parsed by signature General: - Improved and fixed documentation warnings. - Cosmetic changes based on isortConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.