Lucene search

[email protected]CVE-2021-39191

HistorySep 03, 2021 - 2:15 p.m.

CVE-2021-39191

2021-09-0314:15:00

CWE-601

[email protected]

web.nvd.nist.gov

mod_auth_openidc

apache

http server

authentication

authorization

openid connect

relying party

cve-2021-39191

nvd

vulnerability

patch

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

5.8 Medium

AI Score

Confidence

High

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.002 Low

EPSS

Percentile

59.3%

JSON

mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9.4, the 3rd-party init SSO functionality of mod_auth_openidc was reported to be vulnerable to an open redirect attack by supplying a crafted URL in the target_link_uri parameter. A patch in version 2.4.9.4 made it so that the OIDCRedirectURLsAllowed setting must be applied to the target_link_uri parameter. There are no known workarounds aside from upgrading to a patched version.

VendorProductVersionCPE
openidcmod_auth_openidc*cpe:2.3:a:openidc:mod_auth_openidc:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
openidc	mod_auth_openidc	*	cpe:2.3:a:openidc:mod_auth_openidc::::::::

References

github.com/zmartzone/mod_auth_openidc/commit/03e6bfb446f4e3f27c003d30d6a433e5dd8e2b3d

github.com/zmartzone/mod_auth_openidc/issues/672

github.com/zmartzone/mod_auth_openidc/releases/tag/v2.4.9.4

github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-2pgf-8h6h-gqg2

lists.debian.org/debian-lts-announce/2023/07/msg00020.html

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/32RGPW5LZDLDTB7MKZIGAHPSLFOUNWR5/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RHXO4O4G2UQS7X6OQJCVZKHZAQ7SAIFB/

Social References

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

5.8 Medium

AI Score

Confidence

High

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.002 Low

EPSS

Percentile

59.3%

JSON

Related for CVE-2021-39191

debiancve1 redhatcve1 fedora2 openvas5 cbl_mariner1 osv4 veracode1 prion1 ubuntucve1 debian1 nessus10 oraclelinux1 almalinux1 redhat1 rocky1 rosalinux1