Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit be0452bb0cdc · 2026-04-15T19:22:05.000Z
GHSA-7x63-xv5r-3p2x GHSA-gj7p-595x-qwf5 GHSA-xmj9-7625-f634
diff --git a/advisories/github-reviewed/2026/04/GHSA-7x63-xv5r-3p2x/GHSA-7x63-xv5r-3p2x.json b/advisories/github-reviewed/2026/04/GHSA-7x63-xv5r-3p2x/GHSA-7x63-xv5r-3p2x.json
@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7x63-xv5r-3p2x",
+  "modified": "2026-04-15T19:21:06Z",
+  "published": "2026-04-15T19:21:06Z",
+  "aliases": [
+    "CVE-2026-40575"
+  ],
+  "summary": "OAuth2 Proxy has an Authentication Bypass via X-Forwarded-Uri Header Spoofing",
+  "details": "### Impact\n\nA configuration-dependent authentication bypass exists in OAuth2 Proxy.\n\nDeployments are affected when all of the following are true:\n\n* OAuth2 Proxy is configured with `--reverse-proxy`\n* and at least one rule is defined with `--skip_auth_routes` or the legacy `--skip-auth-regex`\n\nOAuth2 Proxy may trust a client-supplied `X-Forwarded-Uri` header when `--reverse-proxy` is enabled and `--skip-auth-route` or `--skip-auth-regex` is configured. An attacker can spoof this header so OAuth2 Proxy evaluates authentication and skip-auth rules against a different path than the one actually sent to the upstream application.\n\nThis can result in an unauthenticated remote attacker bypassing authentication and accessing protected routes without a valid session.\n\n\n### Patches\nThis issue is addressed as part of the newly introduced `--trusted-proxy-ip` flag in `v7.15.2`. If you leave it unset, OAuth2 Proxy will **continue to trust ALL** source IPs (0.0.0.0/0) for backwards compatibility, which means a client may still be able to spoof forwarded headers. Therefore after upgrading we urge you to use the new `--trusted-proxy-ip` flag to set the IPs or CIDR ranges of the reverse proxies that are allowed to send `X-Forwarded-*` headers and furthermore implement the mitigation steps outlined below to properly configure your load balancer infrastructure.\n\n### Mitigation\n\n- Strip any client-provided `X-Forwarded-Uri` header at the reverse proxy or load balancer level\n- Explicitly overwrite `X-Forwarded-Uri` with the actual request URI before forwarding requests to OAuth2 Proxy\n\n  Example nginx mitigation for the auth subrequest:\n  ```\n    location /internal-auth/ {\n      internal; # Ensure external users can't access this path\n  \n      # Make sure the OAuth2 Proxy knows where the original request came from.\n      proxy_set_header Host       $host;\n      proxy_set_header X-Real-IP  $remote_addr;\n      # set the value to the actual $request_uri and therefore strip any user provided X-Forwarded-Uri\n      proxy_set_header X-Forwarded-Uri $request_uri;\n  \n      proxy_pass http://oauth2-proxy:4180/;\n    }\n  ```\n- Restrict direct client access to OAuth2 Proxy so it can only be reached through a trusted reverse proxy\n- Remove or narrow `--skip-auth-route` / `--skip-auth-regex` rules where possible",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/oauth2-proxy/oauth2-proxy/v7"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "7.5.0"
+            },
+            {
+              "fixed": "7.15.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-7x63-xv5r-3p2x"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/oauth2-proxy/oauth2-proxy"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-290"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-15T19:21:06Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-gj7p-595x-qwf5/GHSA-gj7p-595x-qwf5.json b/advisories/github-reviewed/2026/04/GHSA-gj7p-595x-qwf5/GHSA-gj7p-595x-qwf5.json
@@ -0,0 +1,109 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gj7p-595x-qwf5",
+  "modified": "2026-04-15T19:19:43Z",
+  "published": "2026-04-15T19:19:43Z",
+  "aliases": [],
+  "summary": "Data Sharing Framework is Missing Session Timeout for OIDC Sessions",
+  "details": "### Affected Components\nDSF FHIR Server with enabled [OIDC authentication](https://dsf.dev/operations/v2.1.0/fhir/oidc.html).\nDSF BPE Server with enabled [OIDC authentication](https://dsf.dev/operations/v2.1.0/bpe/oidc.html).\n\n### Summary\nOIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired.\n\n### Impact\nIf a user logs in via OIDC and leaves their browser without explicitly logging out, the session remains valid indefinitely. Another person using the same browser can access the DSF UI with the previous user's permissions. This is a realistic threat in hospital environments with shared workstations.\n\nOnly affects OIDC browser sessions, not relevant for mTLS machine-to-machine communication.\n\n### Fix (commits f4ecb00, 7d25fea)\n- Added configurable session timeout via `dev.dsf.server.auth.oidc.session.timeout` (default: `PT30M`).\n- Enabled `logoutWhenIdTokenIsExpired(true)` in OpenID configuration to tie session lifetime to token lifetime.\n- Websocket sessions are now closed with `VIOLATED_POLICY` when credentials expire, prevents stale websocket connections from continuing to receive events after session timeout.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "dev.dsf:dsf-common-jetty"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 2.1.0"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "dev.dsf:dsf-fhir-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 2.1.0"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "dev.dsf:dsf-bpe-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 2.1.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/datasharingframework/dsf/security/advisories/GHSA-gj7p-595x-qwf5"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/datasharingframework/dsf/commit/7d25feafb83d66cb59985ac88568b67d937b1937"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/datasharingframework/dsf/commit/f4ecb002f7d12642f92da6b79371ed367d0140e7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://dsf.dev/operations/v2.1.0/bpe/oidc.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://dsf.dev/operations/v2.1.0/fhir/oidc.html"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/datasharingframework/dsf"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-613"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-15T19:19:43Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-xmj9-7625-f634/GHSA-xmj9-7625-f634.json b/advisories/github-reviewed/2026/04/GHSA-xmj9-7625-f634/GHSA-xmj9-7625-f634.json
@@ -0,0 +1,82 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-xmj9-7625-f634",
+  "modified": "2026-04-15T19:19:50Z",
+  "published": "2026-04-15T19:19:50Z",
+  "aliases": [],
+  "summary": "Data Sharing Framework has an Inverted Time Comparison in OIDC JWKS and Token Cache",
+  "details": "### Affected Components\n- DSF FHIR Server with enabled [bearer-token authentication](https://dsf.dev/operations/v2.1.0/fhir/oidc.html) or [back-channel logout](https://dsf.dev/operations/v2.1.0/fhir/oidc.html).\n- DSF BPE Server with enabled [bearer-token authentication](https://dsf.dev/operations/v2.1.0/bpe/oidc.html) or [back-channel logout](https://dsf.dev/operations/v2.1.0/bpe/oidc.html).\n- DSF BPE Server API v2 process plugins using [FHIR client connections](https://dsf.dev/operations/v2.1.0/bpe/fhir-client-connections.html) with configured OIDC authentication.\n\n### Summary\n- The OIDC JWKS and Metadata Document caches used an inverted time comparison (`isBefore` instead of `isAfter`), causing the cache to **never return cached values**. Every incoming request triggered a fresh HTTP fetch of the OIDC Metadata Document and JWKS keys from the OIDC provider.\n- The OIDC token cache for the [FHIR client connections](https://dsf.dev/operations/v2.1.0/bpe/fhir-client-connections.html) used an inverted time comparison (`isBefore` instead of `isAfter`), causing the cache to **never invalidate**. Every incoming request returned the same OIDC token even if expired.\n\n### Impact\n- **Performance:** Every OIDC-authenticated request added network round-trips to the OIDC provider, increasing latency\n- **Reliability:** Cached OIDC tokens become unusable after expiration and can only be invalidated by restart of the BPE. \n If the OIDC provider is temporarily unreachable, all requests fail immediately instead of using cached keys\n- **Load:** Unnecessary load on the OIDC provider, potentially causing rate limiting\n\n### Fix (commits 31c2e974d, d3ca59b4d)\n- Fixed cache timeout comparison from `isBefore` to `isAfter` in `BaseOidcClientWithCache` (configuration and JWKS caches) and `OidcClientWithCache` (configuration, JWKS, and access token caches)\n- Added configurable cache timeouts via `dev.dsf.server.auth.oidc.provider.client.cache.timeout.configuration.resource` and `dev.dsf.server.auth.oidc.provider.client.cache.timeout.jwks.resource` (default: `PT1H`)",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "dev.dsf:dsf-bpe-process-api-v2"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 2.1.0"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "dev.dsf:dsf-bpe-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 2.1.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/datasharingframework/dsf/security/advisories/GHSA-xmj9-7625-f634"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/datasharingframework/dsf/commit/31c2e974dfd4351756104ee8c53dbcd666192fef"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/datasharingframework/dsf/commit/d3ca59b4daccde16a006fedeccce28fd1f826908"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/datasharingframework/dsf"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-670"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-15T19:19:50Z",
+    "nvd_published_at": null
+  }
+}
