CVE-2024-25715

Vulnerability

Glewlwyd SSO server versions 2.x through 2.7.6 contain an open redirection vulnerability in the OAuth2 and OIDC flows. When a client request includes a redirect_uri parameter, the server fails to properly validate that the URI matches one of the client's registered redirect URIs if the redirect_uri is NULL. Specifically, in the check_client_valid and check_client_redirect_uri_valid functions, if redirect_uri is NULL, the variable uri_found is set to 1 (valid) unconditionally, allowing an attacker to bypass the redirect URI validation. This issue was addressed in two commits: [1] and [2].

Exploitation

An attacker can exploit this vulnerability by initiating an OAuth2 or OIDC authorization request to the Glewlwyd SSO server without providing a redirect_uri parameter (or providing a NULL value). When the server processes the request, it skips the redirect URI validation and sets uri_found to 1, effectively accepting the missing or null redirect_uri as valid. The attacker can then craft a malicious link that leverages the open redirect to send a victim to an external site after authorization, potentially as part of a phishing campaign [1][2].

Impact

Successful exploitation allows an attacker to redirect a user to an arbitrary external URL after the OAuth/OIDC authorization flow. This open redirection can be used for phishing attacks, where the victim trusts the original domain and is redirected to a malicious site that may steal credentials or tokens [1][2].

Mitigation

The vulnerability is fixed in commits [1] and [2] to the development branch of Glewlwyd. Users should upgrade to version 2.7.7 or later once released. As a workaround, ensure that all OAuth2/OIDC client configurations have a non-null redirect_uri registered and that the server enforces validation. The CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.