{"id":"PYSEC-2022-269","details":"OAuthLib is an implementation of the OAuth request-signing logic for Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker providing malicious redirect uri can cause denial of service. An attacker can also leverage usage of `uri_validate` functions depending where it is used. OAuthLib applications using OAuth2.0 provider support or use directly `uri_validate` are affected by this issue. Version 3.2.1 contains a patch. There are no known workarounds.","aliases":["CVE-2022-36087","GHSA-3pgj-pg6c-r5p7"],"modified":"2023-11-08T04:10:00.371667Z","published":"2022-09-09T21:15:00Z","references":[{"type":"WEB","url":"https://github.com/oauthlib/oauthlib/blob/2b8a44855a51ad5a5b0c348a08c2564a2e197ea2/oauthlib/uri_validate.py"},{"type":"WEB","url":"https://github.com/oauthlib/oauthlib/releases/tag/v3.2.1"},{"type":"WEB","url":"https://github.com/oauthlib/oauthlib/blob/d4bafd9f1d0eba3766e933b1ac598cbbf37b8914/oauthlib/oauth2/rfc6749/grant_types/base.py#L232"},{"type":"ADVISORY","url":"https://github.com/oauthlib/oauthlib/security/advisories/GHSA-3pgj-pg6c-r5p7"},{"type":"FIX","url":"https://github.com/oauthlib/oauthlib/commit/2e40b412c844ecc4673c3fa3f72181f228bdbacd"}],"affected":[{"package":{"name":"oauthlib","ecosystem":"PyPI","purl":"pkg:pypi/oauthlib"},"ranges":[{"type":"GIT","repo":"https://github.com/oauthlib/oauthlib","events":[{"introduced":"0"},{"fixed":"2e40b412c844ecc4673c3fa3f72181f228bdbacd"}]},{"type":"ECOSYSTEM","events":[{"introduced":"3.1.1"},{"fixed":"3.2.1"}]}],"versions":["3.1.1","3.2.0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/oauthlib/PYSEC-2022-269.yaml"}}],"schema_version":"1.7.3"}