15 matches found
CVE-2021-32786
CVE-2021-32786 affects mod_auth_openidc (Apache 2.x). In versions before 2.4.9, oidc_validate_redirect_url() parses URLs differently from browsers, allowing an Open Redirect in the logout flow. The issue is fixed in 2.4.9 by replacing backslashes with slashes in redirects. A mitigations option is...
CVE-2021-32791
mod_auth_openidc is an Apache 2.x authentication module that, before version 2.4.9, used a static IV and AAD for AES-GCM encryption, causing nonce reuse and potential cryptographic issues. The issue is fixed in 2.4.9 and later by using dynamic IV/AAD values via cjose AES routines. Affected system...
CVE-2021-32792
CVE-2021-32792 affects mod_auth_openidc (Apache 2.x) as an OpenID Connect RP. Prior to 2.4.9, an XSS vulnerability occurs when OIDCPreservePost is On. Affected environments include deployments using mod_auth_openidc with this setting, with Debian/Mageia/Fedora advisories noting fixes around versi...
CVE-2021-32785
CVE-2021-32785 affects mod_auth_openidc (Apache 2.x) prior to 2.4.9 when configured with an unencrypted Redis cache. The issue arises from argument interpolation before Redis requests are passed to hiredis, causing an uncontrolled format string bug. Impact described as reliable denial of service ...
CVE-2019-20479
The CVE-2019-20479 issue affects mod_auth_openidc before 2.4.1, caused by insufficient validation of URLs beginning with a slash and backslash, leading to an Open Redirect vulnerability in logout URLs. Multiple connected advisories (Debian, Red Hat/CentOS, Fedora, Amazon Linux advisories) confirm...
CVE-2023-28625
The CVE-2023-28625 entry concerns mod_auth_openidc (OpenID Connect Relying Party module for Apache). Affected versions 2.0.0–2.4.13.1 contain a NULL pointer dereference when OIDCStripCookies is set and a crafted Cookie header is supplied, leading to a segmentation fault and an availability risk. ...
CVE-2019-14857
CVE-2019-14857 affects mod_auth_openidc prior to 2.4.0.1 and describes an open redirect vulnerability in logout URL handling for URLs with leading slashes (and related trailing slash cases). The issue can allow attackers to redirect victims to a potentially malicious site during logout, with cite...
CVE-2021-39191
CVE-2021-39191 affects mod_auth_openidc (Apache 2.x OpenID Connect RP). The 3rd‑party init SSO feature could open redirects by supplying a crafted URL in the target_link_uri parameter. A patch in version 2.4.9.4 adds required validation via the OIDCRedirectURLsAllowed setting on target_link_uri. ...
CVE-2021-20718
The CVE-2021-20718 issue affects mod_auth_openidc versions 2.4.0 through 2.4.7, enabling a remote attacker to cause a denial-of-service (DoS) via unspecified vectors. Connected advisories indicate a fixed version (e.g., 2.4.8.x/2.4.8.4) has been released in some distributions (Fedora/Mageia Debia...
CVE-2022-23527
CVE-2022-23527 affects mod_auth_openidc for Apache 2.x. Versions prior to 2.4.12.2 are vulnerable to an Open Redirect caused by improper validation in oidc_validate_redirect_url() for logout redirect URIs that may start with a tab (\t). The issue can be mitigated by upgrading to 2.4.12.2; if upgr...
CVE-2024-24814
CVE-2024-24814 affects the mod_auth_openidc OpenID Connect Relying Party module for Apache 2.x. The issue arises from missing input validation on the mod_auth_openidc_session_chunks cookie, which can be manipulated to a very large value, causing the server to work hard, delay responses, and poten...
CVE-2019-1010247
CVE-2019-1010247 – affected software and impact : ZmartZone IAM mod_auth_openidc (Apache module) versions 2.3.10.1 and earlier contain an XSS flaw in the OIDCRedirectURI page, where generated JavaScript uses a poll parameter as a string variable; this can lead to Criss-Site Scripting (XSS) and ma...
CVE-2017-6059
CVE-2017-6059 affects the Ping Identity OpenID Connect module for Apache (mod_auth_openidc) prior to 2.14. The issue allows remote attackers to spoof page content by presenting a malicious URL that triggers an invalid request, due to improper handling within mod_auth_openidc.c. The vulnerability’...
CVE-2017-6413
The vulnerability CVE-2017-6413 affects the OpenID Connect Relying Party and OAuth 2.0 Resource Server component (mod_auth_openidc) for Apache HTTP Server, where versions prior to 2.1.6 do not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an AuthType oauth20 configuration. This allows remote at...
CVE-2017-6062
Summary (CVE-2017-6062): The Apache module mod_auth_openidc (OpenID Connect Relying Party/OAuth 2.0 Resource Server) prior to version 2.1.5 does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an OIDCUnAuthAction pass. This can allow remote attackers to bypass authentication via crafted HTTP ...