CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
15.5%
Debian LTS Advisory DLA-3751-1 [email protected]
https://www.debian.org/lts/security/ Chris Lamb
March 05, 2024 https://wiki.debian.org/LTS
Package : libapache2-mod-auth-openidc
Version : 2.3.10.2-1+deb10u4
CVE ID : CVE-2024-24814
Debian Bug : 1064183
It was discovered that there was a potential Denial of Service (DoS)
attack in libapache2-mod-auth-openidc, an OpenID Connect (OpenIDC)
module for the Apache web server.
Missing input validation on mod_auth_openidc_session_chunks cookie
value made the server vulnerable to this attack. If an attacker
manipulated the value of the OpenIDC cookie to a very large integer
like 99999999, the server struggled with the request for a long time
and finally returned a 500 error. Making a few requests of this kind
caused servers to become unresponsive, and so attackers could thereby
craft requests that would make the server work very hard and/or crash
with minimal effort.
For Debian 10 buster, this problem has been fixed in version
2.3.10.2-1+deb10u4.
We recommend that you upgrade your libapache2-mod-auth-openidc packages.
For the detailed security status of libapache2-mod-auth-openidc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libapache2-mod-auth-openidc
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS