Описание
OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups. In versions prior to 7.13.0, all deployments of OAuth2 Proxy in front of applications that normalize underscores to dashes in HTTP headers (e.g., WSGI-based frameworks such as Django, Flask, FastAPI, and PHP applications). Authenticated users can inject underscore variants of X-Forwarded-* headers that bypass the proxy’s filtering logic, potentially escalating privileges in the upstream app. OAuth2 Proxy authentication/authorization itself is not compromised. The problem has been patched with v7.13.0. By default all specified headers will now be normalized, meaning that both capitalization and the use of underscores () versus dashes (-) will be ignored when matching headers to be stripped. For example, both X-Forwarded-For and X_Forwarded-for will now be treated as equivalent and stripped away. For those who have a rational that requires keeping a similar looking header and not stripping it, the maintainers introduced a new configuration field for Headers managed through the AlphaConfig called InsecureSkipHeaderNormalization. As a workaround, ensure filtering and processing logic in upstream services don't treat underscores and hyphens in Headers the same way.
A header-smuggling vulnerability was found in OAuth2-Proxy’s handling of HTTP headers containing underscores () (such as X_Forwarded_For). The proxy failed to properly normalize these header names, which could allow crafted requests to bypass header validation or filtering. When OAuth2-Proxy is deployed in front of applications (e.g., WSGI frameworks like Django, Flask, FastAPI, or PHP apps) that treat underscores and hyphens differently in header names, an authenticated attacker could exploit this to inject or manipulate upstream headers, potentially gaining unauthorized access to protected endpoints or sensitive information. The vulnerability affects deployments where header trust boundaries are not strictly enforced between the proxy and the backend application.
Отчет
This flaw has been rated High severity (CVSS 8.5) by Red Hat Product Security. S:C (Changed): As the vulnerability within OAuth2-Proxy can affect the behavior of an upstream application that relies on the proxy for identity and access control. The vulnerability causes the proxy to cause a behavior in the backend (internal component) that changes the effective security boundary (the backend treats the injected header as trusted), so scope is changed. C:H (High): An attacker can gain access to protected internal endpoints / sensitive application data by bypassing proxy controls. I:L (Low): The attacker may be able to influence request routing or authentication headers (some integrity impact), rather than alter application data. Full integrity compromise is unlikely from just header name normalization. A:N (None): Availability is not impacted.
Меры по смягчению последствий
No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ceph Storage 8 | rhceph/oauth2-proxy-rhel9 | Affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
8.5 High
CVSS3
Связанные уязвимости
OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups. In versions prior to 7.13.0, all deployments of OAuth2 Proxy in front of applications that normalize underscores to dashes in HTTP headers (e.g., WSGI-based frameworks such as Django, Flask, FastAPI, and PHP applications). Authenticated users can inject underscore variants of X-Forwarded-* headers that bypass the proxy’s filtering logic, potentially escalating privileges in the upstream app. OAuth2 Proxy authentication/authorization itself is not compromised. The problem has been patched with v7.13.0. By default all specified headers will now be normalized, meaning that both capitalization and the use of underscores (_) versus dashes (-) will be ignored when matching headers to be stripped. For example, both `X-Forwarded-For` and `X_Forwarded-for` will now be treated as equivalent and stripped away. For those w
OAuth2-Proxy is an open-source tool that can act as either a standalon ...
OAuth2-Proxy is vulnerable to header smuggling via underscore leading to potential privilege escalation
EPSS
8.5 High
CVSS3