CVE-2022-36087

Advisory

OAuthLib 3.2.1 includes a fix for CVE-2022-36087: In OAuthLib versions 3.1.1 until 3.2.1, an attacker providing malicious redirect uri can cause denial of service. An attacker can also leverage usage of 'uri_validate' functions depending where it is used. OAuthLib applications using OAuth2.0 provider support or use directly 'uri_validate' are affected by this issue. There are no known workarounds.
https://github.com/oauthlib/oauthlib/security/advisories/GHSA-3pgj-pg6c-r5p7

Affected package

Affected versions

Fixed versions

Vulnerability changelog

OAuthLib is an implementation of the OAuth request-signing logic for Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker providing malicious redirect uri can cause denial of service. An attacker can also leverage usage of `uri_validate` functions depending where it is used. OAuthLib applications using OAuth2.0 provider support or use directly `uri_validate` are affected by this issue. Version 3.2.1 contains a patch. There are no known workarounds. See CVE-2022-36087.


CONFIRM:https://github.com/oauthlib/oauthlib/security/advisories/GHSA-3pgj-pg6c-r5p7: https://github.com/oauthlib/oauthlib/security/advisories/GHSA-3pgj-pg6c-r5p7
MISC:https://github.com/oauthlib/oauthlib/blob/2b8a44855a51ad5a5b0c348a08c2564a2e197ea2/oauthlib/uri_validate.py: https://github.com/oauthlib/oauthlib/blob/2b8a44855a51ad5a5b0c348a08c2564a2e197ea2/oauthlib/uri_validate.py
MISC:https://github.com/oauthlib/oauthlib/blob/d4bafd9f1d0eba3766e933b1ac598cbbf37b8914/oauthlib/oauth2/rfc6749/grant_types/base.py#L232: https://github.com/oauthlib/oauthlib/blob/d4bafd9f1d0eba3766e933b1ac598cbbf37b8914/oauthlib/oauth2/rfc6749/grant_types/base.py#L232
MISC:https://github.com/oauthlib/oauthlib/commit/2e40b412c844ecc4673c3fa3f72181f228bdbacd: https://github.com/oauthlib/oauthlib/commit/2e40b412c844ecc4673c3fa3f72181f228bdbacd
MISC:https://github.com/oauthlib/oauthlib/releases/tag/v3.2.1: https://github.com/oauthlib/oauthlib/releases/tag/v3.2.1

Resources

• https://github.com/oauthlib/oauthlib/security/advisories/GHSA-3pgj-pg6c-r5p7
• https://github.com/oauthlib/oauthlib/blob/2b8a44855a51ad5a5b0c348a08c2564a2e197ea2/oauthlib/uri_vali
• https://github.com/oauthlib/oauthlib/blob/d4bafd9f1d0eba3766e933b1ac598cbbf37b8914/oauthlib/oauth2/r
• https://github.com/oauthlib/oauthlib/commit/2e40b412c844ecc4673c3fa3f72181f228bdbacd
• https://github.com/oauthlib/oauthlib/releases/tag/v3.2.1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36087
• https://github.com/oauthlib/oauthlib/blob/2b8a44855a51ad5a5b0c348a08c2564a2e197ea2/oauthlib/uri_validate.py
• https://github.com/oauthlib/oauthlib/blob/d4bafd9f1d0eba3766e933b1ac598cbbf37b8914/oauthlib/oauth2/rfc6749/grant_types/base.py#L232
• https://lists.fedoraproject.org/archives/list/[email protected]/message/QRYLYHE5HWF6R2CRLJFUK4PILR47WXOE/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/X2CQZM5CKOUM4GW2GTAPQEQFPITQ6F7S/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/NBCQJR3ZF7FVNTJYRVPVSQEQRAYZIUHU/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/LXOPIA6M57CFQPUT6HHSNXCTV6QA3UDI/