CVE-2020-5233

low-risk
Published 2020-01-30

OAuth2 Proxy before 5.0 has an open redirect vulnerability. Authentication tokens could be silently harvested by an attacker. This has been patched in version 5.0.

Do I need to act?

-
0.29% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10 Medium
NETWORK / HIGH complexity

Affected Products (1)

Oauth2 Proxy

Affected Vendors

Oauth2 Proxy Project

References (6)

Patch https://github.com/pusher/oauth2_proxy/commit/a316f8a06f3c0ca2b5fc5fa18a91781b31...
Release Notes https://github.com/pusher/oauth2_proxy/releases/tag/v5.0.0
Exploit https://github.com/pusher/oauth2_proxy/security/advisories/GHSA-qqxw-m5fj-f7gv
Patch https://github.com/pusher/oauth2_proxy/commit/a316f8a06f3c0ca2b5fc5fa18a91781b31...
Release Notes https://github.com/pusher/oauth2_proxy/releases/tag/v5.0.0
Exploit https://github.com/pusher/oauth2_proxy/security/advisories/GHSA-qqxw-m5fj-f7gv
24
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal