Moderate severityNVD Advisory· Published Sep 9, 2022· Updated Apr 22, 2025
OAuthLib vulnerable DoS when attacker provides malicious IPV6 URI
CVE-2022-36087
Description
OAuthLib is an implementation of the OAuth request-signing logic for Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker providing malicious redirect uri can cause denial of service. An attacker can also leverage usage of uri_validate functions depending where it is used. OAuthLib applications using OAuth2.0 provider support or use directly uri_validate are affected by this issue. Version 3.2.1 contains a patch. There are no known workarounds.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
oauthlibPyPI | >= 3.1.1, < 3.2.2 | 3.2.2 |
Affected products
58- ghsa-coords57 versionspkg:pypi/oauthlibpkg:rpm/almalinux/fence-agents-aliyunpkg:rpm/almalinux/fence-agents-allpkg:rpm/almalinux/fence-agents-amt-wspkg:rpm/almalinux/fence-agents-apcpkg:rpm/almalinux/fence-agents-apc-snmppkg:rpm/almalinux/fence-agents-awspkg:rpm/almalinux/fence-agents-azure-armpkg:rpm/almalinux/fence-agents-bladecenterpkg:rpm/almalinux/fence-agents-brocadepkg:rpm/almalinux/fence-agents-cisco-mdspkg:rpm/almalinux/fence-agents-cisco-ucspkg:rpm/almalinux/fence-agents-commonpkg:rpm/almalinux/fence-agents-computepkg:rpm/almalinux/fence-agents-drac5pkg:rpm/almalinux/fence-agents-eaton-snmppkg:rpm/almalinux/fence-agents-emersonpkg:rpm/almalinux/fence-agents-epspkg:rpm/almalinux/fence-agents-gcepkg:rpm/almalinux/fence-agents-heuristics-pingpkg:rpm/almalinux/fence-agents-hpbladepkg:rpm/almalinux/fence-agents-ibmbladepkg:rpm/almalinux/fence-agents-ibm-powervspkg:rpm/almalinux/fence-agents-ibm-vpcpkg:rpm/almalinux/fence-agents-ifmibpkg:rpm/almalinux/fence-agents-ilo2pkg:rpm/almalinux/fence-agents-ilo-moonshotpkg:rpm/almalinux/fence-agents-ilo-mppkg:rpm/almalinux/fence-agents-ilo-sshpkg:rpm/almalinux/fence-agents-intelmodularpkg:rpm/almalinux/fence-agents-ipdupkg:rpm/almalinux/fence-agents-ipmilanpkg:rpm/almalinux/fence-agents-kdumppkg:rpm/almalinux/fence-agents-kubevirtpkg:rpm/almalinux/fence-agents-lparpkg:rpm/almalinux/fence-agents-mpathpkg:rpm/almalinux/fence-agents-openstackpkg:rpm/almalinux/fence-agents-redfishpkg:rpm/almalinux/fence-agents-rhevmpkg:rpm/almalinux/fence-agents-rsapkg:rpm/almalinux/fence-agents-rsbpkg:rpm/almalinux/fence-agents-sbdpkg:rpm/almalinux/fence-agents-scsipkg:rpm/almalinux/fence-agents-virshpkg:rpm/almalinux/fence-agents-vmware-restpkg:rpm/almalinux/fence-agents-vmware-soappkg:rpm/almalinux/fence-agents-wtipkg:rpm/almalinux/fence-agents-zvmpkg:rpm/almalinux/fence-virtpkg:rpm/almalinux/fence-virtdpkg:rpm/almalinux/fence-virtd-cpgpkg:rpm/almalinux/fence-virtd-libvirtpkg:rpm/almalinux/fence-virtd-multicastpkg:rpm/almalinux/fence-virtd-serialpkg:rpm/almalinux/fence-virtd-tcppkg:rpm/almalinux/ha-cloud-supportpkg:rpm/opensuse/python-oauthlib&distro=openSUSE%20Tumbleweed
>= 3.1.1, < 3.2.2+ 56 more
- (no CPE)range: >= 3.1.1, < 3.2.2
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 4.10.0-43.el9
- (no CPE)range: < 3.2.2-5.4
Patches
Vulnerability mechanics
References
16- github.com/advisories/GHSA-3pgj-pg6c-r5p7ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LXOPIA6M57CFQPUT6HHSNXCTV6QA3UDI/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NBCQJR3ZF7FVNTJYRVPVSQEQRAYZIUHU/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QRYLYHE5HWF6R2CRLJFUK4PILR47WXOE/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X2CQZM5CKOUM4GW2GTAPQEQFPITQ6F7S/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2022-36087ghsaADVISORY
- github.com/oauthlib/oauthlib/blob/2b8a44855a51ad5a5b0c348a08c2564a2e197ea2/oauthlib/uri_validate.pyghsaWEB
- github.com/oauthlib/oauthlib/blob/d4bafd9f1d0eba3766e933b1ac598cbbf37b8914/oauthlib/oauth2/rfc6749/grant_types/base.pyghsaWEB
- github.com/oauthlib/oauthlib/commit/2e40b412c844ecc4673c3fa3f72181f228bdbacdghsaWEB
- github.com/oauthlib/oauthlib/releases/tag/v3.2.1ghsaWEB
- github.com/oauthlib/oauthlib/security/advisories/GHSA-3pgj-pg6c-r5p7ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/oauthlib/PYSEC-2022-269.yamlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LXOPIA6M57CFQPUT6HHSNXCTV6QA3UDIghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NBCQJR3ZF7FVNTJYRVPVSQEQRAYZIUHUghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYLYHE5HWF6R2CRLJFUK4PILR47WXOEghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X2CQZM5CKOUM4GW2GTAPQEQFPITQ6F7SghsaWEB
News mentions
0No linked articles in our index yet.