Oauth-proxy security fix following High Severity CVE-20200-11052

Today a notice for CVE-2020-11053 with a severity of High went out, impacting our oauth2-proxy that is used for authentication to our internal dashboards.

As users can provide a redirect address for the proxy to send the authenticated user to at the end of the authentication flow. This is expected to be the original URL that the user was trying to access. This redirect URL is checked within the proxy and validated before redirecting the user to prevent malicious actors providing redirects to potentially harmful sites. However, by crafting a redirect URL with HTML encoded whitespace characters (eg. %0a, %0b,%09,%0d) the validation could be bypassed and allow a redirect to any URL provided.

We are in the process of patching oauth2-proxy on all our clusters.

Upstream resources