CVE-2021-21411

Name of the Vulnerable Software and Affected Versions OAuth2-Proxy versions 7.0.0 through 7.0.x

Description The --gitlab-group flag for group-based authorization in the GitLab provider stopped working, allowing any authenticated users to access applications regardless of --gitlab-group membership restrictions. This issue impacts GitLab Provider users who rely on group membership for authorization restrictions. The problem arose from a bug introduced while adding GitLab project-based authorization support, where the user session's groups field was populated with the --gitlab-group config entries instead of the individual user's group membership from the GitLab Userinfo endpoint.

Recommendations For OAuth2-Proxy versions 7.0.0 through 7.0.x, update to version 7.1.0 to resolve the issue. As a temporary workaround, consider setting --gitlab-project to use Project membership as the authorization checks instead of groups, as this feature is not affected by the bug.