7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.3 High
AI Score
Confidence
High
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.003 Low
EPSS
Percentile
68.5%
Software: mod_auth_openidc 2.3.7
OS: ROSA Virtualization 2.1
package_evr_string: mod_auth_openidc-2.3.7-11.rv3
CVE-ID: CVE-2019-14857
BDU-ID: None
CVE-Crit: MEDIUM
CVE-DESC.: There is an open redirect issue in URLs with a slash at the end, similar to CVE-2019-3877 in mod_auth_mellon.
CVE-STATUS: Fixed
CVE-REV: Run the yum update mod_auth_openidc command to close it
CVE-ID: CVE-2019-20479
BDU-ID: None
CVE-Crit: MEDIUM
CVE-DESC.: An open redirect problem exists in URLs with a slash and backslash at the beginning.
CVE-STATUS: Fixed
CVE-REV: Run the yum update mod_auth_openidc command to close it
CVE-ID: CVE-2021-39191
BDU-ID: None
CVE-Crit: MEDIUM
CVE-DESC.: mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that acts as an OpenID Connect checker, authenticating users using the OpenID Connect provider. It was reported that in versions prior to 2.4.9.4, the third-party single sign-on function during mod_auth_openidc initialization was vulnerable to an open redirection attack due to providing a crafted URL in the target_link_uri parameter. A fix in 2.4.9.4 made it so that the OIDCRedirectURLsAllowed parameter should be applied to the target_link_uri parameter. There are no known workarounds other than upgrading to the patched version.
CVE-STATUS: Fixed
CVE-REV: Run the yum update mod_auth_openidc command to close it
CVE-ID: CVE-2023-28625
BDU-ID: None
CVE-Crit: HIGH
CVE-DESC.: mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect checker functionality. When OIDCStripCookies
is set and the cookie created is provided, a NULL pointer dereference will occur, resulting in a segmentation error. This can be exploited in a denial of service attack and thus poses an availability threat.
CVE-STATUS: Fixed
CVE-REV: Run the yum update mod_auth_openidc command to close it
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ROSA | any | noarch | mod_auth_openidc | < 2.3.7 | UNKNOWN |
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.3 High
AI Score
Confidence
High
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.003 Low
EPSS
Percentile
68.5%