CVE-2021-21411: 
Homebrew vulnerability analysis and mitigation

OAuth2-Proxy is an open source reverse proxy that provides authentication with Google, Github or other providers. A vulnerability was discovered in version 7.0.0 where the --gitlab-group flag for group-based authorization in the GitLab provider stopped functioning properly. The issue was assigned CVE-2021-21411 and was discovered in March 2021 (GitHub Advisory).

The vulnerability was introduced while adding GitLab project-based authorization support. A bug caused the user session's groups field to be populated with the --gitlab-group config entries instead of pulling the individual user's group membership from the GitLab Userinfo endpoint. When session groups were compared against allowed groups for authorization, they matched improperly since both lists contained the same data, resulting in authorization being incorrectly granted (GitHub Advisory). The vulnerability has a CVSS v3.1 base score of 5.5 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N) (NVD).

This vulnerability affected GitLab Provider users who relied on group membership for authorization restrictions. Any authenticated users in the GitLab environment could access applications regardless of --gitlab-group membership restrictions. Additionally, authenticated users had whatever groups were set in --gitlab-group added to the new X-Forwarded-Groups header to the upstream application (GitHub Advisory).

The vulnerability was patched in version 7.1.0. For users unable to upgrade immediately, there was no direct workaround for the Group membership bug. However, users could set --gitlab-project to use Project membership as the authorization checks instead of groups, as this functionality remained unaffected (GitHub Advisory).