OAuth 2.0 Authorization Code Leakage via Open Redirect

Thinking Process: 1. Analyze the Request: Task: Translate a Chinese vulnerability intelligence summary to English. Role: Professional translator specializing in cybersecurity. Constraints: Maintain all Markdown formatting intact. Do not add any introductory or concluding remarks. Just output the English translation. Input: A structured text containing vulnerability details (Key Info, Details, Exploitation Steps, Impact, Remediation). 2. Analyze the Input Content: Header: (Vulnerability Key Information) Section 1: (Vulnerability Overview) Type: OAuth 2.0 Authorization Code Leak (via Open Redirect) Affected Versions: (or ) -> Let's stick to standard terminology: . -> -> -> -> -> -> Keep as is (English terms already present). redirect_uri -> redirect_uri -> Keep as is. redirect_uri -> redirect_uri -> -> Code block: Keep exactly as is. -> Code block: Keep exactly as is. -> -> -> -> -> (or ) -> OidcResource.java redirect_uri -> OidcResource.java redirect_uri OpenIdProvider.java -> OpenIdProvider.java 4. Review and Refine: Check Markdown syntax (headers, bolding, code blocks, lists). Ensure cybersecurity terminology is accurate (e.g., "Authorization Code", "Open Redirect", "Callback Endpoint", "Session Cookie"). Ensure no extra text is added. Self-Correction on "Jump functionality": "去除重定向 URI 跳转功能" literally means "remove redirect URI jump functionality". In context, it likely means removing the ability to redirect based on that parameter or the dynamic redirect feature. "Remove the redirect URI redirection functionality" or "Remove the redirect URI jump feature". Let's use "remove the redirect URI redirection functionality" or keep it close to original meaning. "Remove the redirect URI jump functionality" is acceptable but "Remove the dynamic redirect functionality" might be more natural. However, as a translator, I should stay close to the source unless it's clearly wrong. "Jump" here implies redirection. Let's use "remove the redirect URI redirection functionality" or simply "remove the redirect URI jump functionality". Let's go with "remove the redirect URI redirection functionality" for better technical accuracy, but "jump" is often used in Chinese security contexts for "redirect". Let's stick to "redirect functionality" to be safe and professional. Actually, "jump" in this context usually means the action of redirecting. So "remove the redirect URI redirection feature". Let's try to be precise: "remove the redirect URI jump functionality" might sound a bit Chinglish. "Remove the ability to redirect via URI" is better. But I need to translate the meaning. "Remove the redirect URI jump functionality" -> "Remove the redirect URI redirection functionality". Let's use "Remove the redirect URI redirection functionality". Wait, looking at the source: "去除重定向 URI 跳转功能". "跳转" = jump/redirect. "功能" = function/feature. So "Remove the redirect URI redirection feature". Let's check "Vulnerability Key Information". "Critical Vulnerability Information" is also common. "Key Information" is fine. "Exploitation Steps" is standard. "Recommended Fixes" is standard. Refining "Jump": In web security, "redirect" is the standard term. "Jump" is a literal translation of 跳转。I will translate it as "redirection" for professionalism. Refining "Leakage": "Leak" or "Exposure". "Leakage" is fine. Refining "Takeover": "Account Takeover" is standard. Final check on code blocks: Ensure they remain inside the markdown block. 5. Final Output Generation: (Constructing the response based on the refined draft). Header: Subheader: List items... Subheader: List items... Subheader: List items with code blocks... Subheader: List items... Subheader: List items... One detail: "OAuth 2.0 授权码泄漏" -> "OAuth 2.0 Authorization Code Leak". "通过开放重定向" -> "(via Open Redirect)". "未验证...直接使用" -> "used directly without validation". "绕过配置的回调 URL" -> "bypassing configured callback URLs". "获取会话 cookie" -> "Obtain Session Cookie". "请求授权码" -> "Request Authorization Code". "OAuth 授权码被盗" -> "OAuth Authorization Code Stolen". "用户数据泄露" -> "User Data Leakage" (or "Exposure"). "Leakage" is fine. "平台的账户接管" -> "Platform Account Takeover". "实施...验证" -> "Implement ... validation". "去除...功能" -> "Remove ... functionality". Let's assemble. Wait, one check on CVSS string: . This is standard notation, keep as is. Wait, one check on code blocks: The input has ` OidcResource.java redirect_uri OpenIdProvider.java`, remove the redirect URI redirection functionality.

Goal Reached Thanks to every supporter — we hit 100%!

OAuth 2.0 Authorization Code Leakage via Open Redirect

More from this source