3 matches found
CVE-2019-3878
The CVE-2019-3878 issue affects mod_auth_mellon for Apache before v0.14.2. When Apache runs as a reverse proxy and mod_auth_mellon is set to require valid-user, an attacker can bypass authentication by sending specific HTTP headers used in SAML ECP (non-browser) flows. The connected advisories in...
CVE-2019-13038
The CVE-2019-13038 issue affects mod_auth_mellon up to version 0.14.2, causing an Open Redirect via the login?ReturnTo= substring when the http URL is formed with a missing // (as evidenced by multiple advisories and Nessus plugins referencing mod_auth_mellon up to 0.14.2). Connected documents en...
CVE-2019-3877
CVE-2019-3877 affects mod_auth_mellon before v0.14.2. An open redirect in the logout URL can be bypassed when URLs contain backslashes, since browsers convert them to forward slashes and treat the URL as absolute, bypassing apr_uri_parse validation. Remediation per connected advisories is to upgr...