| Vulnerability Name: | CVE-2022-36087 (CCN-235780) | ||||||||||||
| Assigned: | 2022-09-09 | ||||||||||||
| Published: | 2022-09-09 | ||||||||||||
| Updated: | 2022-11-10 | ||||||||||||
| Summary: | OAuthLib is an implementation of the OAuth request-signing logic for Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker providing malicious redirect uri can cause denial of service. An attacker can also leverage usage of `uri_validate` functions depending where it is used. OAuthLib applications using OAuth2.0 provider support or use directly `uri_validate` are affected by this issue. Version 3.2.1 contains a patch. There are no known workarounds. | ||||||||||||
| CVSS v3 Severity: | 6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) 5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
5.0 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
| ||||||||||||
| CVSS v2 Severity: | 6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C)
| ||||||||||||
| Vulnerability Type: | CWE-20 | ||||||||||||
| Vulnerability Consequences: | Denial of Service | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2022-36087 Source: XF Type: UNKNOWN oauthlib-cve202236087-dos(235780) Source: MISC Type: Exploit, Third Party Advisory https://github.com/oauthlib/oauthlib/blob/2b8a44855a51ad5a5b0c348a08c2564a2e197ea2/oauthlib/uri_validate.py Source: MISC Type: Exploit, Third Party Advisory https://github.com/oauthlib/oauthlib/blob/d4bafd9f1d0eba3766e933b1ac598cbbf37b8914/oauthlib/oauth2/rfc6749/grant_types/base.py#L232 Source: MISC Type: Patch, Third Party Advisory https://github.com/oauthlib/oauthlib/commit/2e40b412c844ecc4673c3fa3f72181f228bdbacd Source: MISC Type: Third Party Advisory https://github.com/oauthlib/oauthlib/releases/tag/v3.2.1 Source: CCN Type: OAuthlib GIT Repository DoS when attacker provide malicious IPV6 URI Source: CONFIRM Type: Exploit, Mitigation, Third Party Advisory https://github.com/oauthlib/oauthlib/security/advisories/GHSA-3pgj-pg6c-r5p7 Source: FEDORA Type: Mailing List, Third Party Advisory FEDORA-2022-5a74a5eea7 Source: CCN Type: IBM Security Bulletin 6840933 (Watson Discovery) IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in OAuthLib Source: CCN Type: IBM Security Bulletin 6842215 (Spectrum Protect Plus) Vulnerability in OAuthlib affects IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift (CVE-2022-36087) Source: CCN Type: IBM Security Bulletin 6853463 (Robotic Process Automation for Cloud Pak) Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak. Source: CCN Type: IBM Security Bulletin 6857803 (Cloud Pak for Watson AIOps) Multiple Vulnerabilities in CloudPak for Watson AIOPs Source: CCN Type: IBM Security Bulletin 6987807 (Maximo Application Suite) OAuthlib is vulnerable to CVE-2022-36087 used in IBM Maximo Application Suite Source: CCN Type: IBM Security Bulletin 7004655 (Cloud Pak for Security) IBM Cloud Pak for Security includes components with multiple known vulnerabilities Source: CCN Type: IBM Security Bulletin 7005455 (Spectrum Discover) IBM Spectrum Discover is vulnerable to multiple vulnerabilities Source: CCN Type: IBM Security Bulletin 7014235 (Maximo Application Suite) OAuthlib is vulnerable to CVE-2022-36087 used in IBM Maximo Application Suite - Monitor Component | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||
| BACK | |||||||||||||