CVE-2021-21411

{"id": "CVE-2021-21411", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2021-03-26T21:15:13.630", "references": [{"url": "https://docs.gitlab.com/ee/user/group/", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/oauth2-proxy/oauth2-proxy/commit/0279fa7dff1752f1710707dbd1ffac839de8bbfc", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.1.0", "tags": ["Release Notes", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-652x-m2gr-hppm", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://pkg.go.dev/github.com/oauth2-proxy/oauth2-proxy/v7", "tags": ["Product", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "OAuth2-Proxy is an open source reverse proxy that provides authentication with Google, Github or other providers. The `--gitlab-group` flag for group-based authorization in the GitLab provider stopped working in the v7.0.0 release. Regardless of the flag settings, authorization wasn't restricted. Additionally, any authenticated users had whichever groups were set in `--gitlab-group` added to the new `X-Forwarded-Groups` header to the upstream application. While adding GitLab project based authorization support in #630, a bug was introduced where the user session's groups field was populated with the `--gitlab-group` config entries instead of pulling the individual user's group membership from the GitLab Userinfo endpoint. When the session groups where compared against the allowed groups for authorization, they matched improperly (since both lists were populated with the same data) so authorization was allowed. This impacts GitLab Provider users who relies on group membership for authorization restrictions. Any authenticated users in your GitLab environment can access your applications regardless of `--gitlab-group` membership restrictions. This is patched in v7.1.0. There is no workaround for the Group membership bug. But `--gitlab-project` can be set to use Project membership as the authorization checks instead of groups; it is not broken."}, {"lang": "es", "value": "OAuth2-Proxy es un proxy inverso de c\u00f3digo abierto que proporciona autenticaci\u00f3n con Google, Github u otros proveedores. El flag \"--gitlab-group\" para la autorizaci\u00f3n basada en grupos en el proveedor GitLab dej\u00f3 de funcionar en la versi\u00f3n v7.0.0. Independientemente de la configuraci\u00f3n del flag, la autorizaci\u00f3n no estaba restringida. Adem\u00e1s, cualquier usuario autenticado ten\u00eda los grupos que hab\u00edan sido establecidos en \"--gitlab-group\" a\u00f1adidos al nuevo encabezado \"X-Forwarded-Groups\" para la aplicaci\u00f3n de origen. Al a\u00f1adir la compatibilidad con la autorizaci\u00f3n basada en proyectos de GitLab en el n\u00famero 630, se introdujo un error por el que el campo groups de la sesi\u00f3n del usuario se rellenaba con las entradas de configuraci\u00f3n de \"--gitlab-group\" en lugar de extraer la pertenencia al grupo del usuario individual desde el endpoint de GitLab Userinfo. Cuando los grupos de la sesi\u00f3n se comparaban con los grupos permitidos para la autorizaci\u00f3n, coincid\u00edan incorrectamente (ya que ambas listas se rellenaban con los mismos datos), por lo que se permit\u00eda la autorizaci\u00f3n. Esto afecta a usuarios del proveedor de GitLab que se basan en la pertenencia a grupos para las restricciones de autorizaci\u00f3n. Cualquier usuario autenticado en su entorno de GitLab puede acceder a sus aplicaciones independientemente de las restricciones de pertenencia a grupos de \"--gitlab-group\". Esto ha sido corregido en la versi\u00f3n 7.1.0. No se presenta una soluci\u00f3n para el error de Group membership. Pero \"--gitlab-project\" puede ser configurado para usar Project membership como la comprobaci\u00f3n de la autorizaci\u00f3n en lugar de los grupos; esto no est\u00e1 roto."}], "lastModified": "2021-04-06T12:42:17.673", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oauth2_proxy_project:oauth2_proxy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A5AAF6F8-6CAE-4E37-9DD9-28C967852020", "versionEndExcluding": "7.1.0", "versionStartIncluding": "7.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}