Lucene search

K

MitreCVELIST:CVE-2017-6413

HistoryMar 02, 2017 - 6:00 a.m.

CVE-2017-6413

2017-03-0206:00:00

mitre

www.cve.org

1

7.7 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

68.0%

The “OpenID Connect Relying Party and OAuth 2.0 Resource Server” (aka mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an “AuthType oauth20” configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic.

References

www.securityfocus.com/bid/96549

access.redhat.com/errata/RHSA-2019:2112

github.com/pingidentity/mod_auth_openidc/blob/master/ChangeLog

github.com/pingidentity/mod_auth_openidc/commit/21e3728a825c41ab41efa75e664108051bb9665e

github.com/pingidentity/mod_auth_openidc/releases/tag/v2.1.6

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V3HIGXMUKJGOBMAQAQPGC7G5YYWSUVA/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EJXBG3DG2FUYFGTUTSJFMPIINVFKKB4Z/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTWUMQ46GZY3O4WU4JCF333LN53R2XQH/

7.7 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

68.0%

Related for CVELIST:CVE-2017-6413

osv1 nvd1 prion1 cve1 redhatcve1 ubuntucve1 debiancve1 amazon2 nessus11 redhat1 oraclelinux1 centos1 fedora3 openvas3