CVE-2020-15233

Name of the Vulnerable Software and Affected Versions ORY Fosite versions 0.30.2 through 0.34.1

Description The issue allows an attacker to override the registered redirect URL by performing an OAuth flow and requesting a redirect URL that is to the loopback adapter. Attackers can provide custom URL query parameters to their loopback redirect URL, as well as override the host of the registered redirect URL. These attacks are only applicable in scenarios where the attacker has access over the loopback interface.

Recommendations For versions 0.30.2 through 0.34.1, update to ORY Fosite v0.34.1 to resolve the issue. As a temporary workaround, consider restricting access to loopback interfaces to minimize the risk of exploitation. Avoid using custom URL query parameters in redirect URLs for loopback interfaces until the issue is resolved.