Nixpkgs security tracker
3.5 LOW
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Physical (P)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): Low (L)
- Integrity (I): Low (L)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Physical (P)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): Low (L)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): Low (L)
- Modified Availability (MA): None (N)
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse ignored maintainer @Swarsel maintainer.ignore
- @LeSuisse accepted
- @LeSuisse published on GitHub
OAuth2 Proxy: Session cookie not cleared when rendering sign-in page
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout flow, a user may be shown the sign-in page while the existing session cookie remains valid, meaning the browser session is not actually logged out. On shared workstations or devices, a subsequent user could continue to use the previous user's authenticated session. Deployments that use a dedicated logout/sign-out endpoint to terminate sessions are not affected. This issue is fixed in 7.15.2
References
Ignored references (1)
-
https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2 x_refsource_MISC
Affected products
- ==>= 7.11.0, < 7.15.2
Matching in nixpkgs
pkgs.oauth2-proxy
Reverse proxy that provides authentication with Google, Github, or other providers
Package maintainers
Ignored maintainers (1)
-
@Swarsel Leon Schwarzäugl <leon@swarsel.win>