CVE-2020-5233 — Open Redirect in OAuth2 Proxy

Description

OAuth2 Proxy before 5.0 has an open redirect vulnerability. Authentication tokens could be silently harvested by an attacker. This has been patched in version 5.0.

How to fix CVE-2020-5233

To remediate CVE-2020-5233, upgrade the affected package to a fixed version below.

Bitnami/oauth2-proxy—upgrade to 5.0.0 or later
—upgrade to 5.0.0 or later

Is CVE-2020-5233 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 5.0.0
from 0, < 5.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.9	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:L

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-5233
WEBblog.detectify.com/2019/05/16/the-real-impact-of-an-open-redirect
WEBgithub.com/oauth2-proxy/oauth2_proxy/commit/a316f8a06f3c0ca2b5fc5fa18a91781b313607b2
WEBgithub.com/oauth2-proxy/oauth2_proxy/releases/tag/v5.0.0