2 matches found
CVE-2019-3878
The CVE-2019-3878 issue affects mod_auth_mellon for Apache before v0.14.2. When Apache runs as a reverse proxy and mod_auth_mellon is set to require valid-user, an attacker can bypass authentication by sending specific HTTP headers used in SAML ECP (non-browser) flows. The connected advisories in...
CVE-2019-3877
CVE-2019-3877 affects mod_auth_mellon before v0.14.2. An open redirect in the logout URL can be bypassed when URLs contain backslashes, since browsers convert them to forward slashes and treat the URL as absolute, bypassing apr_uri_parse validation. Remediation per connected advisories is to upgr...