85 matches found
UBUNTU-CVE-2021-32786
modauthopenidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9, oidcvalidateredirecturl does not parse URLs the same way as most browsers...
AZL-6475 CVE-2020-35452 affecting package httpd for versions less than 2.4.46-10
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in modauthdigest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation option might make i...
DEBIAN-CVE-2020-35452
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in modauthdigest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation option might make i...
UBUNTU-CVE-2020-35452
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in modauthdigest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation option might make i...
PT-2021-6452 · Unknown +5 · Mod Auth Openidc +5
Name of the Vulnerable Software and Affected Versions: mod auth openidc versions prior to 2.4.9 Description: The issue is related to the AES GCM encryption in mod auth openidc, which uses a static IV and AAD. This creates a static nonce and can lead to known cryptographic issues since the same ke...
UBUNTU-CVE-2021-20718
modauthopenidc 2.4.0 to 2.4.7 allows a remote attacker to cause a denial-of-service DoS condition via unspecified vectors...
USN-4597-1 libapache2-mod-auth-mellon vulnerabilities
François Kooman discovered that modauthmellon incorrectly handled cookies. An attacker could possibly use this issue to cause a Cross-Site Session Transfer attack. CVE-2017-6807 It was discovered that modauthmellon incorrectly handled certain requests. An attacker could possibly use this issue to...
DEBIAN-CVE-2019-20479
A flaw was found in modauthopenidc before version 2.4.1. An open redirect issue exists in URLs with a slash and backslash at the beginning...
UBUNTU-CVE-2019-14857
A flaw was found in modauthopenidc before version 2.4.0.1. An open redirect issue exists in URLs with trailing slashes similar to CVE-2019-3877 in modauthmellon...
httpd: mod_auth_digest: access control bypass due to race condition
A race condition was found in modauthdigest when the web server was running in a threaded MPM configuration. It could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions...
PT-2019-11526 · Zmartzone Iam · Mod Auth Openidc
Name of the Vulnerable Software and Affected Versions: ZmartZone IAM mod auth openidc versions 2.3.10.1 and earlier Description: The issue affects the ZmartZone IAM mod auth openidc, allowing for Cross Site Scripting XSS attacks. This can lead to redirecting the user to a phishing page or...
PT-2019-5693 · Apache +3 · Mod Auth Mellon +4
Name of the Vulnerable Software and Affected Versions: mod auth mellon versions 0.14.2 and earlier Description: The issue is related to an Open Redirect via the login?ReturnTo= substring. This can be exploited by omitting the // after http: in the target URL, allowing a remote attacker to redirec...
UBUNTU-CVE-2019-3878
A vulnerability was found in modauthmellon before v0.14.2. If Apache is configured as a reverse proxy and modauthmellon is configured to only let through authenticated users with the require valid-user directive, adding special HTTP headers that are normally used to start the special SAML ECP...
httpd: Uninitialized memory reflection in mod_auth_digest
It was discovered that the httpd's modauthdigest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to...
httpd: Uninitialized memory reflection in mod_auth_digest
It was discovered that the httpd's modauthdigest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to...
The vulnerability of the mod_auth_digest module in the Apache HTTP Server allows a hacker to cause the server to terminate abnormally.
The vulnerability of the modauthdigest module in the Apache HTTP Server exists due to insufficient validation of input data. Exploiting this vulnerability can allow a malicious actor to cause the server to terminate abnormally. Each instance of the server will continue to terminate abnormally eve...
DEBIAN-CVE-2016-2161
In Apache HTTP Server versions 2.4.0 to 2.4.23, malicious input to modauthdigest can cause the server to crash, and each instance continues to crash even for subsequently valid requests...
httpd: DoS vulnerability in mod_auth_digest
It was discovered that the modauthdigest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication...
PT-2017-16869 · Ping Identity +2 · Mod Auth Openidc +2
Name of the Vulnerable Software and Affected Versions: mod auth openidc versions prior to 2.14 Description: The issue allows remote attackers to spoof page content via a malicious URL provided to the user, which triggers an invalid request. This occurs due to a flaw in the Mod auth openidc.c...
DEBIAN-CVE-2017-6807
modauthmellon before 0.13.1 is vulnerable to a Cross-Site Session Transfer attack, where a user with access to one web site running on a server can copy their session cookie to a different web site on the same server to get access to that site...