Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
debianDebianDEBIAN:DLA-3499-1:09007
HistoryJul 18, 2023 - 10:51 p.m.

[SECURITY] [DLA 3499-1] libapache2-mod-auth-openidc security update

2023-07-1822:51:29
lists.debian.org
2

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

7 High

AI Score

Confidence

Low

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.001 Low

EPSS

Percentile

39.0%

JSON

Debian LTS Advisory DLA-3499-1 [email protected]
https://www.debian.org/lts/security/ Guilhem Moulin
July 19, 2023 https://wiki.debian.org/LTS

Package : libapache2-mod-auth-openidc
Version : 2.3.10.2-1+deb10u3
CVE ID : CVE-2021-39191 CVE-2022-23527
Debian Bug : 993648 1026444

Open Redirect vulnerabilities were found in libapache2-mod-auth-openidc,
OpenID Connect Relying Party implementation for Apache, which could lead
to information disclosure via phishing attacks.

CVE-2021-39191

The 3rd-party init SSO functionality of mod_auth_openidc was
reported to be vulnerable to an open redirect attack by supplying a
crafted URL in the target_link_uri parameter.

CVE-2022-23527

When providing a logout parameter to the redirect URI,
mod_auth_openidc failed to properly check for URLs starting with
"/\t", leading to an open redirect.

For Debian 10 buster, these problems have been fixed in version
2.3.10.2-1+deb10u3.

We recommend that you upgrade your libapache2-mod-auth-openidc packages.

For the detailed security status of libapache2-mod-auth-openidc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libapache2-mod-auth-openidc

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature

OSVersionArchitecturePackageVersionFilename
Debian11mips64ellibapache2-mod-auth-openidc-dbgsym< 2.4.9.4-0+deb11u2libapache2-mod-auth-openidc-dbgsym_2.4.9.4-0+deb11u2_mips64el.deb
Debian11amd64libapache2-mod-auth-openidc< 2.4.9.4-0+deb11u2libapache2-mod-auth-openidc_2.4.9.4-0+deb11u2_amd64.deb
Debian11mipsellibapache2-mod-auth-openidc-dbgsym< 2.4.9.4-0+deb11u2libapache2-mod-auth-openidc-dbgsym_2.4.9.4-0+deb11u2_mipsel.deb
Debian11armellibapache2-mod-auth-openidc-dbgsym< 2.4.9.4-0+deb11u2libapache2-mod-auth-openidc-dbgsym_2.4.9.4-0+deb11u2_armel.deb
Debian11mipsellibapache2-mod-auth-openidc< 2.4.9.4-0+deb11u2libapache2-mod-auth-openidc_2.4.9.4-0+deb11u2_mipsel.deb
Debian11mips64ellibapache2-mod-auth-openidc< 2.4.9.4-0+deb11u2libapache2-mod-auth-openidc_2.4.9.4-0+deb11u2_mips64el.deb
Debian10amd64libapache2-mod-auth-openidc< 2.3.10.2-1+deb10u3libapache2-mod-auth-openidc_2.3.10.2-1+deb10u3_amd64.deb
Debian10armhflibapache2-mod-auth-openidc< 2.3.10.2-1+deb10u3libapache2-mod-auth-openidc_2.3.10.2-1+deb10u3_armhf.deb
Debian11ppc64ellibapache2-mod-auth-openidc< 2.4.9.4-0+deb11u2libapache2-mod-auth-openidc_2.4.9.4-0+deb11u2_ppc64el.deb
Debian11armhflibapache2-mod-auth-openidc-dbgsym< 2.4.9.4-0+deb11u2libapache2-mod-auth-openidc-dbgsym_2.4.9.4-0+deb11u2_armhf.deb
Rows per page:
1-10 of 221

Related

nessus 15
openvas 8
osv 7
cbl_mariner 2
debiancve 2
cve 2
fedora 4
redhatcve 2
prion 2
veracode 2
ubuntucve 2
almalinux 3
oraclelinux 3
redhat 3
rocky 1
rosalinux 1
nessus
nessus
Debian DLA-3499-1 : libapache2-mod-auth-openidc - LTS security update
2023-07-19 00:00:00
CentOS 9 : mod_auth_openidc-2.4.9.4-2.el9
2024-02-29 00:00:00
SUSE SLES15 / openSUSE 15 Security Update : apache2-mod_auth_openidc (SUSE-SU-2023:0215-1)
2023-01-31 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2023:0215-1)
2023-01-31 00:00:00
Debian: Security Advisory (DLA-3499-1)
2023-07-19 00:00:00
Fedora: Security Advisory for mod_auth_openidc (FEDORA-2022-e139408490)
2022-12-25 00:00:00
osv
osv
libapache2-mod-auth-openidc - security update
2023-07-19 00:00:00
CVE-2022-23527
2022-12-14 18:15:20
CVE-2021-39191
2021-09-03 14:15:07
cbl_mariner
cbl_mariner
CVE-2022-23527 affecting package mod_auth_openidc for versions less than 2.4.14.2-1
2023-09-28 12:35:58
CVE-2021-39191 affecting package mod_auth_openidc for versions less than 2.4.14.2-1
2023-09-28 12:35:58
debiancve
debiancve
CVE-2021-39191
2021-09-03 14:15:00
CVE-2022-23527
2022-12-14 18:15:00
cve
cve
CVE-2022-23527
2022-12-14 18:15:00
CVE-2021-39191
2021-09-03 14:15:00
fedora
fedora
[SECURITY] Fedora 36 Update: mod_auth_openidc-2.4.12.2-1.fc36
2022-12-25 01:22:44
[SECURITY] Fedora 37 Update: mod_auth_openidc-2.4.12.2-1.fc37
2022-12-25 01:08:49
[SECURITY] Fedora 35 Update: mod_auth_openidc-2.4.9.4-1.fc35
2021-12-12 01:10:48
redhatcve
redhatcve
CVE-2021-39191
2021-09-06 17:22:35
CVE-2022-23527
2022-12-15 04:04:44
prion
prion
Open redirect
2022-12-14 18:15:00
Open redirect
2021-09-03 14:15:00
veracode
veracode
Open Redirect
2022-12-20 09:04:10
Open Redirect
2021-09-08 13:57:09
ubuntucve
ubuntucve
CVE-2022-23527
2022-12-14 00:00:00
CVE-2021-39191
2021-09-03 00:00:00
almalinux
almalinux
Moderate: mod_auth_openidc security and bug fix update
2023-11-07 00:00:00
Moderate: mod_auth_openidc:2.3 security and bug fix update
2023-11-14 00:00:00
Moderate: mod_auth_openidc:2.3 security update
2022-05-10 06:30:32
oraclelinux
oraclelinux
mod_auth_openidc security and bug fix update
2023-11-11 00:00:00
mod_auth_openidc:2.3 security and bug fix update
2023-11-18 00:00:00
mod_auth_openidc:2.3 security update
2022-05-17 00:00:00
redhat
redhat
(RHSA-2023:6365) Moderate: mod_auth_openidc security and bug fix update
2023-11-07 06:03:12
(RHSA-2023:6940) Moderate: mod_auth_openidc:2.3 security and bug fix update
2023-11-14 08:40:59
(RHSA-2022:1823) Moderate: mod_auth_openidc:2.3 security update
2022-05-10 06:30:32
rocky
rocky
mod_auth_openidc:2.3 security update
2022-05-10 06:30:32
rosalinux
rosalinux
Advisory ROSA-SA-2024-2362
2024-02-27 09:20:02

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

7 High

AI Score

Confidence

Low

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.001 Low

EPSS

Percentile

39.0%

JSON
Related for DEBIAN:DLA-3499-1:09007
nessus15openvas8osv7cbl_mariner2debiancve2cve2fedora4redhatcve2prion2veracode2ubuntucve2almalinux3oraclelinux3redhat3rocky1rosalinux1