CVE-2022-36087
Denial of Service vulnerability in oauthlib (PyPI)
What is CVE-2022-36087 About?
This vulnerability in OAuthLib versions 3.1.1 through 3.2.1 allows for a Denial of Service (DoS) attack. An attacker can provide a malicious redirect URI, which when processed by `uri_validate` functions, causes resource exhaustion. Exploitation can be relatively easy if an application uses the affected OAuth2.0 provider support or directly calls `uri_validate` with untrusted input.
Affected Software
- oauthlib
- <2e40b412c844ecc4673c3fa3f72181f228bdbacd
- >3.1.1, <3.2.2
- >3.1.1, <3.2.1
Technical Details
The Denial of Service (DoS) vulnerability in OAuthLib (versions 3.1.1 to 3.2.1) affects Python applications implementing OAuth request-signing logic. The issue arises when an attacker crafts and supplies a malicious redirect URI. When this URI is processed by the uri_validate functions within OAuthLib, specifically in contexts supporting OAuth2.0 providers, it can trigger an excessive amount of processing. This resource exhaustion, potentially due to inefficient parsing or validation logic for malformed URIs, leads to the application becoming unresponsive, thereby causing a denial of service. The attacker leverages the trust in redirect URIs to trigger the vulnerable code path.
What is the Impact of CVE-2022-36087?
Successful exploitation may allow attackers to cause a denial of service, rendering the application or service unresponsive and unavailable to legitimate users.
What is the Exploitability of CVE-2022-36087?
Exploitation of this Denial of Service vulnerability is of low to moderate complexity. It requires remote access to an application utilizing the vulnerable OAuthLib library, specifically where OAuth2.0 provider support is enabled or where uri_validate functions are directly exposed to untrusted input. No prior authentication or elevated privileges are explicitly required; an attacker merely needs to supply a maliciously crafted redirect URI. The specific attack vector involves manipulating the 'redirect_uri' parameter to trigger the DoS condition. The likelihood of exploitation is higher in applications that widely accept and validate user-supplied redirect URIs.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-36087?
Available Upgrade Options
- oauthlib
- >3.1.1, <3.2.2 → Upgrade to 3.2.2
- oauthlib
- >3.1.1, <3.2.1 → Upgrade to 3.2.1
- oauthlib
- <2e40b412c844ecc4673c3fa3f72181f228bdbacd → Upgrade to 2e40b412c844ecc4673c3fa3f72181f228bdbacd
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QRYLYHE5HWF6R2CRLJFUK4PILR47WXOE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X2CQZM5CKOUM4GW2GTAPQEQFPITQ6F7S
- https://github.com/oauthlib/oauthlib/commit/2e40b412c844ecc4673c3fa3f72181f228bdbacd
- https://github.com/pypa/advisory-database/tree/main/vulns/oauthlib/PYSEC-2022-269.yaml
- https://github.com/oauthlib/oauthlib/commit/2e40b412c844ecc4673c3fa3f72181f228bdbacd
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NBCQJR3ZF7FVNTJYRVPVSQEQRAYZIUHU
- https://github.com/oauthlib/oauthlib
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYLYHE5HWF6R2CRLJFUK4PILR47WXOE
- https://github.com/oauthlib/oauthlib/blob/2b8a44855a51ad5a5b0c348a08c2564a2e197ea2/oauthlib/uri_validate.py
- https://github.com/oauthlib/oauthlib/blob/2b8a44855a51ad5a5b0c348a08c2564a2e197ea2/oauthlib/uri_validate.py
What are Similar Vulnerabilities to CVE-2022-36087?
Similar Vulnerabilities: CVE-2023-34036 , CVE-2024-24680 , CVE-2024-27351 , CVE-2021-32050 , CVE-2022-42969
