CVE-2020-15234 – github.com/ory/fosite

Package

Manager: go
Name: github.com/ory/fosite
Vulnerable Version: >=0 <0.34.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00255 pctl0.48657

Details

Redirect URL matching ignores character casing ### Impact Before version v0.34.1, the OAuth 2.0 Client's registered redirect URLs and the redirect URL provided at the OAuth2 Authorization Endpoint where compared using `strings.ToLower` while they should have been compared with a simple string match: 1. Registering a client with allowed redirect URL `https://example.com/callback` 2. Performing OAuth2 flow and requesting redirect URL `https://example.com/CALLBACK` 3. Instead of an error (invalid redirect URL), the browser is redirected to `https://example.com/CALLBACK` with a potentially successful OAuth2 response, depending on the state of the overall OAuth2 flow (the user might still deny the request for example).

Metadata

Created: 2021-05-24T17:00:05Z
Modified: 2021-11-19T14:43:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-grfp-q2mm-hfp6/GHSA-grfp-q2mm-hfp6.json
CWE IDs: ["CWE-178", "CWE-20", "CWE-601"]
Alternative ID: GHSA-grfp-q2mm-hfp6
Finding: F156
Auto approve: 1