CVE-2022-36087: 
Python vulnerability analysis and mitigation

OAuthLib, an implementation of OAuth request-signing logic for Python 3.6+, was found to contain a vulnerability (CVE-2022-36087) affecting versions 3.1.1 through 3.2.1. The vulnerability was discovered by Sebastian Chnelik from PyUp.io and disclosed on September 9, 2022. The issue affects OAuthLib applications using OAuth2.0 provider support or directly utilizing the uri_validate function (GitHub Advisory).

The vulnerability stems from improper validation of IPv6 addresses in redirect URIs. When processing URIs containing maliciously crafted IPv6 addresses, the application can enter a state that leads to excessive resource consumption. The issue received a CVSS v3.1 base score of 6.5 (Medium) from NVD and 5.7 (Medium) from GitHub, with the attack vector being Network-based, requiring low attack complexity and user interaction (NVD).

When successfully exploited, the vulnerability can cause a denial of service condition in applications using OAuthLib. The impact is primarily focused on availability, with no direct effect on confidentiality or integrity of the system (GitHub Advisory).

The vulnerability was patched in OAuthLib version 3.2.1. For users unable to upgrade immediately, a workaround involves verifying the redirect_uri in the web toolkit (e.g., bottle-oauthlib, django-oauth-toolkit) before OAuthLib is called. A simple check for the presence of ':' can prevent the DoS, assuming no port or IPv6 functionality is required (GitHub Advisory).

Multiple Linux distributions responded to the vulnerability by releasing security updates, including Fedora 37, 38, and 39, which updated their python-oauthlib packages to version 3.2.2 to address the security issue (Fedora Update).