Name of the Vulnerable Software and Affected Versions Email OAuth 2.0 Proxy versions 2022-09-05 through 2023-12-18

Description The issue allows an attacker to gain access to an account by renewing expired OAuth 2.0 client credentials grant flow authorization tokens without checking their validity against the original account configuration. This can be done by attempting to log in during a specific time period before the token expiry time. The issue is a security concern if the proxy is used with the CCG flow and no additional account secret encryption. It is estimated that a significant number of devices may be affected, particularly in publicly-accessible settings.

Recommendations To fix the issue, switch to version 2023-12-19 or later of the Email OAuth 2.0 Proxy immediately. If you use the CCG flow but have set encrypt client secret on first use = True and removed the original client secret value from the proxy's configuration file, this issue is not a concern. For all other use-cases, it is recommended to keep the proxy up-to-date as best practice. As a temporary workaround, consider disabling the CCG flow until a patch is available. Restrict access to the proxy in publicly-accessible settings to minimize the risk of exploitation. Avoid using the client secret value in the affected API endpoint until the issue is resolved.