CVE-2021-21411 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2021-21411 Interim 1 5 2026-03-05T05:26:44Z current 2025-08-14T01:10:58Z 2026-03-05T05:26:44Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2021-21411 OAuth2-Proxy is an open source reverse proxy that provides authentication with Google, Github or other providers. The `--gitlab-group` flag for group-based authorization in the GitLab provider stopped working in the v7.0.0 release. Regardless of the flag settings, authorization wasn't restricted. Additionally, any authenticated users had whichever groups were set in `--gitlab-group` added to the new `X-Forwarded-Groups` header to the upstream application. While adding GitLab project based authorization support in #630, a bug was introduced where the user session's groups field was populated with the `--gitlab-group` config entries instead of pulling the individual user's group membership from the GitLab Userinfo endpoint. When the session groups where compared against the allowed groups for authorization, they matched improperly (since both lists were populated with the same data) so authorization was allowed. This impacts GitLab Provider users who relies on group membership for authorization restrictions. Any authenticated users in your GitLab environment can access your applications regardless of `--gitlab-group` membership restrictions. This is patched in v7.1.0. There is no workaround for the Group membership bug. But `--gitlab-project` can be set to use Project membership as the authorization checks instead of groups; it is not broken. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-updates/2025-August/041294.html E-Mail link for SUSE-SU-2025:02912-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings Container suse/sl-micro/6.0/base-os-container:latest Container suse/sl-micro/6.0/toolbox:latest Image SL-Micro Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE SUSE Linux Enterprise Server 16.0 openSUSE Tumbleweed ca-certificates-mozilla-2.84-slfo.1.1_1.1 govulncheck-vulndb-0.0.20250811T192933-1.1 govulncheck-vulndb-0.0.20250814T182633-160000.1.2 shim-15.8-1.1 ca-certificates-mozilla-2.84-slfo.1.1_1.1 as a component of Container suse/sl-micro/6.0/base-os-container:latest shim-15.8-1.1 as a component of Container suse/sl-micro/6.0/base-os-container:latest ca-certificates-mozilla-2.84-slfo.1.1_1.1 as a component of Container suse/sl-micro/6.0/toolbox:latest ca-certificates-mozilla-2.84-slfo.1.1_1.1 as a component of Image SL-Micro shim-15.8-1.1 as a component of Image SL-Micro ca-certificates-mozilla-2.84-slfo.1.1_1.1 as a component of Image SLE-Micro shim-15.8-1.1 as a component of Image SLE-Micro shim-15.8-1.1 as a component of Image SLE-Micro-Azure shim-15.8-1.1 as a component of Image SLE-Micro-BYOS shim-15.8-1.1 as a component of Image SLE-Micro-BYOS-Azure shim-15.8-1.1 as a component of Image SLE-Micro-BYOS-EC2 shim-15.8-1.1 as a component of Image SLE-Micro-BYOS-GCE ca-certificates-mozilla-2.84-slfo.1.1_1.1 as a component of Image SLE-Micro-EC2 shim-15.8-1.1 as a component of Image SLE-Micro-EC2 shim-15.8-1.1 as a component of Image SLE-Micro-GCE govulncheck-vulndb-0.0.20250814T182633-160000.1.2 as a component of SUSE Linux Enterprise Server 16.0 govulncheck-vulndb-0.0.20250811T192933-1.1 as a component of openSUSE Tumbleweed OAuth2-Proxy is an open source reverse proxy that provides authentication with Google, Github or other providers. The `--gitlab-group` flag for group-based authorization in the GitLab provider stopped working in the v7.0.0 release. Regardless of the flag settings, authorization wasn't restricted. Additionally, any authenticated users had whichever groups were set in `--gitlab-group` added to the new `X-Forwarded-Groups` header to the upstream application. While adding GitLab project based authorization support in #630, a bug was introduced where the user session's groups field was populated with the `--gitlab-group` config entries instead of pulling the individual user's group membership from the GitLab Userinfo endpoint. When the session groups where compared against the allowed groups for authorization, they matched improperly (since both lists were populated with the same data) so authorization was allowed. This impacts GitLab Provider users who relies on group membership for authorization restrictions. Any authenticated users in your GitLab environment can access your applications regardless of `--gitlab-group` membership restrictions. This is patched in v7.1.0. There is no workaround for the Group membership bug. But `--gitlab-project` can be set to use Project membership as the authorization checks instead of groups; it is not broken. CVE-2021-21411 Container suse/sl-micro/6.0/base-os-container:latest:ca-certificates-mozilla-2.84-slfo.1.1_1.1 Container suse/sl-micro/6.0/base-os-container:latest:shim-15.8-1.1 Container suse/sl-micro/6.0/toolbox:latest:ca-certificates-mozilla-2.84-slfo.1.1_1.1 Image SL-Micro:ca-certificates-mozilla-2.84-slfo.1.1_1.1 Image SL-Micro:shim-15.8-1.1 Image SLE-Micro:ca-certificates-mozilla-2.84-slfo.1.1_1.1 Image SLE-Micro:shim-15.8-1.1 Image SLE-Micro-Azure:shim-15.8-1.1 Image SLE-Micro-BYOS:shim-15.8-1.1 Image SLE-Micro-BYOS-Azure:shim-15.8-1.1 Image SLE-Micro-BYOS-EC2:shim-15.8-1.1 Image SLE-Micro-BYOS-GCE:shim-15.8-1.1 Image SLE-Micro-EC2:ca-certificates-mozilla-2.84-slfo.1.1_1.1 Image SLE-Micro-EC2:shim-15.8-1.1 Image SLE-Micro-GCE:shim-15.8-1.1 SUSE Linux Enterprise Server 16.0:govulncheck-vulndb-0.0.20250814T182633-160000.1.2 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250811T192933-1.1 moderate 5.5 AV:N/AC:L/Au:S/C:P/I:P/A:N 5.5 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N