// For flags

CVE-2022-36087

OAuthLib vulnerable DoS when attacker provides malicious IPV6 URI

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

3
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

OAuthLib is an implementation of the OAuth request-signing logic for Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker providing malicious redirect uri can cause denial of service. An attacker can also leverage usage of `uri_validate` functions depending where it is used. OAuthLib applications using OAuth2.0 provider support or use directly `uri_validate` are affected by this issue. Version 3.2.1 contains a patch. There are no known workarounds.

OAuthLib es una implementación de la lógica de firma de peticiones OAuth para Python versión 3.6+. En OAuthLib versiones 3.1.1 hasta 3.2.1, un atacante que proporcione una uri de redireccionamiento maliciosa puede causar una denegación de servicio. Un atacante también puede aprovechar el uso de las funciones "uri_validate" dependiendo de dónde sea usado. Las aplicaciones de OAuthLib que usan el soporte del proveedor OAuth2.0 o que usan directamente "uri_validate" están afectadas por este problema. La versión 3.2.1 contiene un parche. No se presentan mitigaciones conocidas

A flaw was found in python-oauthlib. This flaw allows an attacker providing a malicious redirect URI to cause a denial of service to OAuthLib's web application.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-07-15 CVE Reserved
  • 2022-09-09 CVE Published
  • 2024-04-30 EPSS Updated
  • 2024-08-03 CVE Updated
  • 2024-08-03 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-20: Improper Input Validation
  • CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Oauthlib Project
Search vendor "Oauthlib Project"
 Oauthlib
Search vendor "Oauthlib Project" for product "Oauthlib"
 >= 3.1.1 < 3.2.1
Search vendor "Oauthlib Project" for product "Oauthlib" and version " >= 3.1.1 < 3.2.1"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 37
Search vendor "Fedoraproject" for product "Fedora" and version "37"
-
Affected