diff --git a/gems/oauth/GHSA-prq8-7wvh-44qh.yml b/gems/oauth/GHSA-prq8-7wvh-44qh.yml new file mode 100644 index 0000000000..b31e6ee788 --- /dev/null +++ b/gems/oauth/GHSA-prq8-7wvh-44qh.yml @@ -0,0 +1,84 @@ +--- +gem: oauth +ghsa: prq8-7wvh-44qh +url: https://github.com/ruby-oauth/oauth/security/advisories/GHSA-prq8-7wvh-44qh +title: Cross-origin OAuth token-request redirects can expose + signed request metadata +date: 2026-06-07 +description: | + ## Summary + + When an application uses OAuth::Consumer to request OAuth 1.0 request + tokens or access tokens, the token request helper follows 300..399 + redirects returned by the OAuth server. In affected versions, + OAuth::Consumer#token_request parses the raw Location header, follows + the redirect recursively, and can mutate the consumer's configured + site when the redirect points to a different host with the same path. + + The result is a cross-origin signed-request disclosure primitive: if an OAuth + server token endpoint returns a redirect whose target an attacker controls, + the client can re-sign the token request and send OAuth 1.0 request metadata, + including the OAuth signature, nonce, timestamp, consumer key, and any request + parameters included in the signature base string, to the attacker-controlled + host. The same behavior can also be used as an SSRF or confused-deputy + primitive because the application server follows the redirect and sends + the next request from its own network position. + + ## Affected + + oauth v1.1.5 and prior versions back to and including v0.5.5. + The cross-host token redirect behavior was introduced by d74b767f + The behavior is documented in the v0.5.5 changelog as "Allow redirect to + different host but same path". + The vulnerable behavior is in OAuth::Consumer#token_request, which is + used by the documented request-token and access-token flows. + The issue is not specific to a Ruby engine or platform. It is caused by the + gem's redirect handling and recursive token request behavior. + Patched version: oauth v1.1.6. + + ## Impact + + A consumer that calls OAuth::Consumer#get_request_token, + OAuth::Consumer#get_access_token, or lower-level token request helpers + against an OAuth server whose token endpoint redirect target can be + influenced may lose three security properties: + + Cross-origin signed-request metadata disclosure. The redirected request is + signed for the attacker-controlled endpoint. Depending on the request method, + scheme, and parameters, the attacker may receive OAuth 1.0 parameters such as + oauth_consumer_key, oauth_signature_method, oauth_timestamp, + oauth_nonce, oauth_version, and oauth_signature. + SSRF from the application server. The OAuth client follows the redirect on + behalf of the application, so the redirected host is contacted from the + application server's network position. + Confused-deputy behavior. A malicious or compromised token endpoint can + cause an otherwise trusted application to initiate signed requests to an + unintended origin. + The disclosed OAuth 1 signature is not equivalent to an OAuth 2 bearer token: + it is bound to the signed request, timestamp, nonce, HTTP method, and request + URL. However, it can still disclose sensitive integration metadata, may be + replayable within the receiver's accepted nonce/timestamp window in some + deployments, and can expose application-server reachability to + attacker-selected hosts. + + ## Credit + + * Found during the follow-up audit for GHSA-pp92-crg2-gfv9. + + * Reporter/coordinator: Peter H. Boling (pboling) +cvss_v3: 7.2 +unaffected_versions: + - "< 0.5.5" +patched_versions: + - ">= 1.1.6" +related: + url: + - https://github.com/ruby-oauth/oauth/blob/v1.1.6/CHANGELOG.md + - https://github.com/ruby-oauth/oauth/releases/tag/v1.1.6 + - https://github.com/ruby-oauth/oauth/commit/d74b767f + - https://github.com/ruby-oauth/oauth/security/advisories/GHSA-pp92-crg2-gfv9 + - https://github.com/ruby-oauth/oauth/security/advisories/GHSA-prq8-7wvh-44qh +notes: | + - Not on GHSA. + - No CVE value - will add it if it shows up. + - No NVD/[cvss_v2, cvss_v4] values - v3 from GHSA. diff --git a/gems/oauth2/GHSA-pp92-crg2-gfv9.yml b/gems/oauth2/GHSA-pp92-crg2-gfv9.yml new file mode 100644 index 0000000000..dbf4e7c59c --- /dev/null +++ b/gems/oauth2/GHSA-pp92-crg2-gfv9.yml @@ -0,0 +1,85 @@ +--- +gem: oauth2 +ghsa: pp92-crg2-gfv9 +url: https://github.com/ruby-oauth/oauth2/security/advisories/GHSA-pp92-crg2-gfv9 +title: Protocol-relative redirect Location overrides authority in + OAuth2::Client#request, leaking bearer Authorization to attacker host +date: 2026-06-07 +description: | + ## Summary + + When an application uses OAuth2::Client (typically via an + OAuth2::AccessToken) and the configured authorization server returns + a redirect whose Location header is a protocol-relative URI of the + form //attacker.example/leak, OAuth2::Client#request resolves the + redirect with response.response.env.url.merge(location). Per + RFC 3986 §5.2, an input that starts with // is a network-path reference + and replaces the authority of the base URL: + URI("http://idp.trusted/userinfo").merge("//attacker.example/leak") + returns http://attacker.example/leak. The recursive request(verb, + full_location, req_opts) call then re-sends the request to the attacker + host while preserving the Authorization: Bearer header + that OAuth2::AccessToken#configure_authentication! installed on + req_opts[:headers] for the original request. + + The result is a one-shot cross-origin credential disclosure: any 30x + response from the IdP that an attacker can influence (a compromised + endpoint, a tenant-controlled IdP in a multi-tenant deployment, or an + open-redirect handler that does not normalise the Location it emits) + can extract the bearer access token of the calling user. + + ## Affected + + * oauth2 v2.0.21 and all prior versions back to and including v0.4.0. + * The underlying unsafe redirect-following behavior that + reuses headers starts in v0.4.0 via b944da5. + * The vulnerability was retained when the code was refactored + to a redirect helper, and in this form has been present in + OAuth2::Client#request since v2.0.0 via b944da5. + * Ruby 4.0.5 on arm64-darwin25. The behaviour of URI#merge for + protocol-relative inputs is RFC-conformant and the same on every + supported Ruby (≥ 2.x). + * Adapter independence: confirmed against the default faraday 2.14.2 + + faraday-net_http 3.4.3 stack. The URI#merge call is in oauth2 + itself, not in Faraday, so the issue is not adapter-specific. + + ## Impact + + A consumer that uses OAuth2::AccessToken#get / #post / #request + against an IdP whose redirect target an attacker can influence (open + redirect, malicious tenant, or in-path adversary) loses two things at once: + + 1. Cross-origin credential disclosure. The connection-scoped + Authorization: Bearer header attached by + OAuth2::AccessToken#configure_authentication! is sent to the + attacker host on the very next request, with no second user interaction. + 2. SSRF from the application server. The OAuth2 client follows the + redirect on behalf of the application, so the host that ultimately + receives the request is one the attacker chooses — useful for + hitting internal addresses (//169.254.169.254/..., //127.0.0.1:.../...) + that the application server can reach but the attacker cannot. + + The combined primitive is stronger than the usual cross-origin-redirect + leak because no application-level cooperation is required and no + Location: http://attacker/... is needed — the protocol-relative + //attacker/x form slips past naive scheme-based Location filters + that allow same-scheme-implicit redirects. + + ## Credit + + * Reported by tonghuaroot. +cvss_v3: 8.6 +unaffected_versions: + - "< 0.4.0" +patched_versions: + - ">= 2.0.22" +related: + url: + - https://github.com/ruby-oauth/oauth2/blob/v2.0.22/CHANGELOG.md + - https://github.com/ruby-oauth/oauth2/releases/tag/v2.0.22 + - https://github.com/ruby-oauth/oauth2/commit/442c1609858ebaecbac5eab77f4511bc81ed7383 + - https://github.com/ruby-oauth/oauth2/security/advisories/GHSA-pp92-crg2-gfv9 +notes: | + - Not on GHSA. + - No CVE value - will add it if it shows up. + - No NVD/[cvss_v2, cvss_v4] values - v3 from GHSA.