Can you explain this vulnerability to me?

This vulnerability affects OAuth2 Proxy versions 7.5.0 through 7.15.1 when the --reverse-proxy option is enabled along with at least one --skip-auth-regex or --skip-auth-route rule. The issue arises because the proxy may trust a client-supplied X-Forwarded-Uri header. An attacker can spoof this header so that OAuth2 Proxy evaluates authentication and skip-auth rules against a different path than the one actually sent to the upstream application.

As a result, an unauthenticated remote attacker can bypass authentication and access protected routes without a valid session.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can allow an unauthenticated attacker to bypass authentication controls and gain unauthorized access to protected routes or resources in your application.

If your deployment runs OAuth2 Proxy with --reverse-proxy enabled and uses skip-auth rules, attackers could exploit this to access sensitive data or functionality without proper authorization.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability immediately, you should take the following steps:

• Upgrade OAuth2 Proxy to version 7.15.2 or later where the issue is patched.
• Strip any client-provided X-Forwarded-Uri header at the reverse proxy or load balancer level.
• Explicitly overwrite the X-Forwarded-Uri header with the actual request URI before forwarding requests to OAuth2 Proxy.
• Restrict direct client access to OAuth2 Proxy so it can only be reached through a trusted reverse proxy.
• Remove or narrow --skip-auth-regex or --skip-auth-route rules where possible.
• For nginx-based deployments, ensure X-Forwarded-Uri is set by nginx and not passed through from the client.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows an unauthenticated remote attacker to bypass authentication and access protected routes without a valid session. Such unauthorized access to protected resources can lead to exposure of sensitive data.

As a result, organizations using affected versions of OAuth2 Proxy may face challenges in maintaining compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.

Failure to prevent unauthorized access could lead to data breaches, potentially violating these regulations and resulting in legal and financial consequences.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves OAuth2 Proxy trusting a client-supplied X-Forwarded-Uri header when certain flags are enabled, allowing an attacker to bypass authentication. Detection involves verifying if your deployment runs OAuth2 Proxy versions 7.5.0 through 7.15.1 with --reverse-proxy enabled and configured with --skip-auth-regex or --skip-auth-route rules.

To detect potential exploitation or presence of this vulnerability on your network or system, you can monitor HTTP requests for suspicious or unexpected X-Forwarded-Uri headers that differ from the actual request URI.

Suggested commands include using network traffic inspection tools like tcpdump or tshark to capture and filter HTTP headers, for example:

• tcpdump -i <interface> -A -s 0 'tcp port 80 or tcp port 443' | grep 'X-Forwarded-Uri'
• tshark -i <interface> -Y 'http.header contains "X-Forwarded-Uri"' -T fields -e http.host -e http.request.uri -e http.header

Additionally, review your OAuth2 Proxy configuration to check if --reverse-proxy is enabled and if any skip-auth rules are set. Audit logs for unexpected access to protected routes without valid sessions may also indicate exploitation.

Useful 0 Not Useful 0