Headline
GHSA-3pgj-pg6c-r5p7: OAuthLib vulnerable to DoS when attacker provides malicious IPV6 URI
Impact
- Attacker providing malicious redirect uri can cause DoS to oauthlib’s web application.
- Attacker can also leverage usage of
uri_validatefunctions depending where it is used.
What kind of vulnerability is it? Who is impacted?
Oauthlib applications using OAuth2.0 provider support or use directly uri_validate function.
Patches
Has the problem been patched? What versions should users upgrade to? Issue fixed in 3.2.1 release.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
The redirect_uri can be verified in web toolkit (i.e bottle-oauthlib, django-oauth-toolkit, …) before oauthlib is called. A sample check if : is present to reject the request can prevent the DoS, assuming no port or IPv6 is fundamentally required.
References
Attack Vector:
- Attacker providing malicious redirect uri: https://github.com/oauthlib/oauthlib/blob/d4bafd9f1d0eba3766e933b1ac598cbbf37b8914/oauthlib/oauth2/rfc6749/grant_types/base.py#L232
- Vulnerable
uri_validatefunctions: https://github.com/oauthlib/oauthlib/blob/2b8a44855a51ad5a5b0c348a08c2564a2e197ea2/oauthlib/uri_validate.py
PoC
is_absolute_uri("http://[:::::::::::::::::::::::::::::::::::::::]/path")
Acknowledgement
Special thanks to Sebastian Chnelik - PyUp.io
Package
pip oauthlib (pip)
Affected versions
>= 3.1.1, < 3.2.1
Patched versions
3.2.1
Description
Impact
- Attacker providing malicious redirect uri can cause DoS to oauthlib’s web application.
- Attacker can also leverage usage of uri_validate functions depending where it is used.
What kind of vulnerability is it? Who is impacted?
Oauthlib applications using OAuth2.0 provider support or use directly uri_validate function.
Patches
Has the problem been patched? What versions should users upgrade to?
Issue fixed in 3.2.1 release.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
The redirect_uri can be verified in web toolkit (i.e bottle-oauthlib, django-oauth-toolkit, …) before oauthlib is called. A sample check if : is present to reject the request can prevent the DoS, assuming no port or IPv6 is fundamentally required.
References
Attack Vector:
- Attacker providing malicious redirect uri:
https://github.com/oauthlib/oauthlib/blob/d4bafd9f1d0eba3766e933b1ac598cbbf37b8914/oauthlib/oauth2/rfc6749/grant_types/base.py#L232 - Vulnerable uri_validate functions:
https://github.com/oauthlib/oauthlib/blob/2b8a44855a51ad5a5b0c348a08c2564a2e197ea2/oauthlib/uri_validate.py
PoC
is_absolute_uri(“http://[:::::::::::::::::::::::::::::::::::::::]/path”)
Acknowledgement
Special thanks to Sebastian Chnelik - PyUp.io
References
- GHSA-3pgj-pg6c-r5p7
- https://nvd.nist.gov/vuln/detail/CVE-2022-36087
- oauthlib/oauthlib@2e40b41
- https://github.com/oauthlib/oauthlib/blob/2b8a44855a51ad5a5b0c348a08c2564a2e197ea2/oauthlib/uri_validate.py
- https://github.com/oauthlib/oauthlib/blob/d4bafd9f1d0eba3766e933b1ac598cbbf37b8914/oauthlib/oauth2/rfc6749/grant_types/base.py#L232
- https://github.com/oauthlib/oauthlib/releases/tag/v3.2.1
- https://github.com/pypa/advisory-database/tree/main/vulns/oauthlib/PYSEC-2022-269.yaml
JonathanHuot published the maintainer security advisory
Sep 9, 2022
Severity
Moderate
5.7
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Weaknesses
CWE-20 CWE-601
CVE ID
CVE-2022-36087
GHSA ID
GHSA-3pgj-pg6c-r5p7
Source code
oauthlib/oauthlib
Credits
- SCH227
Checking history
See something to contribute? Suggest improvements for this vulnerability.
Related news
Ubuntu Security Notice 5632-1 - Sebastian Chnelik discovered that OAuthLib incorrectly handled certain redirect uris. A remote attacker could possibly use this issue to cause OAuthLib to crash, resulting in a denial of service.
OAuthLib is an implementation of the OAuth request-signing logic for Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker providing malicious redirect uri can cause denial of service. An attacker can also leverage usage of `uri_validate` functions depending where it is used. OAuthLib applications using OAuth2.0 provider support or use directly `uri_validate` are affected by this issue. Version 3.2.1 contains a patch. There are no known workarounds.