Impact
When setting variables in the NGINX config, they would be set in the configuration context and as such be retained over subsequent requests, even the the next request would not contain a token.
What kind of vulnerability is it? Who is impacted?
Configurations that implement some form of access control based on the value of variables set from claims are impacted.
Patches
Users should upgrade to a version >= 3.5.0 which fixes the issue using functionality from liboauth2 >= 1.6.3.
Workarounds
No
References
See #7 and #8
smanolache Remediation developer
Impact
When setting variables in the NGINX config, they would be set in the configuration context and as such be retained over subsequent requests, even the the next request would not contain a token.
What kind of vulnerability is it? Who is impacted?
Configurations that implement some form of access control based on the value of variables set from claims are impacted.
Patches
Users should upgrade to a version >= 3.5.0 which fixes the issue using functionality from liboauth2 >= 1.6.3.
Workarounds
No
References
See #7 and #8