Lucene search
K
OpenidcMod Auth Openidc

15 matches found

CVE
CVE
added 2021/07/22 12:0 a.m.321 views

CVE-2021-32786

CVE-2021-32786 affects mod_auth_openidc (Apache 2.x). In versions before 2.4.9, oidc_validate_redirect_url() parses URLs differently from browsers, allowing an Open Redirect in the logout flow. The issue is fixed in 2.4.9 by replacing backslashes with slashes in redirects. A mitigations option is...

6.1CVSS5.4AI score0.02364EPSS
CVE
CVE
added 2021/07/26 12:0 a.m.311 views

CVE-2021-32791

mod_auth_openidc is an Apache 2.x authentication module that, before version 2.4.9, used a static IV and AAD for AES-GCM encryption, causing nonce reuse and potential cryptographic issues. The issue is fixed in 2.4.9 and later by using dynamic IV/AAD values via cjose AES routines. Affected system...

5.9CVSS6AI score0.01503EPSS
CVE
CVE
added 2021/07/26 12:0 a.m.303 views

CVE-2021-32792

CVE-2021-32792 affects mod_auth_openidc (Apache 2.x) as an OpenID Connect RP. Prior to 2.4.9, an XSS vulnerability occurs when OIDCPreservePost is On. Affected environments include deployments using mod_auth_openidc with this setting, with Debian/Mageia/Fedora advisories noting fixes around versi...

6.1CVSS5AI score0.01523EPSS
CVE
CVE
added 2021/07/22 12:0 a.m.271 views

CVE-2021-32785

CVE-2021-32785 affects mod_auth_openidc (Apache 2.x) prior to 2.4.9 when configured with an unencrypted Redis cache. The issue arises from argument interpolation before Redis requests are passed to hiredis, causing an uncontrolled format string bug. Impact described as reliable denial of service ...

7.5CVSS6.4AI score0.02731EPSS
CVE
CVE
added 2020/02/20 12:0 a.m.248 views

CVE-2019-20479

The CVE-2019-20479 issue affects mod_auth_openidc before 2.4.1, caused by insufficient validation of URLs beginning with a slash and backslash, leading to an Open Redirect vulnerability in logout URLs. Multiple connected advisories (Debian, Red Hat/CentOS, Fedora, Amazon Linux advisories) confirm...

6.1CVSS6.1AI score0.01893EPSS
CVE
CVE
added 2023/04/03 1:19 p.m.219 views

CVE-2023-28625

The CVE-2023-28625 entry concerns mod_auth_openidc (OpenID Connect Relying Party module for Apache). Affected versions 2.0.0–2.4.13.1 contain a NULL pointer dereference when OIDCStripCookies is set and a crafted Cookie header is supplied, leading to a segmentation fault and an availability risk. ...

7.5CVSS7.5AI score0.01327EPSS
CVE
CVE
added 2019/11/26 11:56 a.m.208 views

CVE-2019-14857

CVE-2019-14857 affects mod_auth_openidc prior to 2.4.0.1 and describes an open redirect vulnerability in logout URL handling for URLs with leading slashes (and related trailing slash cases). The issue can allow attackers to redirect victims to a potentially malicious site during logout, with cite...

6.1CVSS6.4AI score0.01535EPSS
CVE
CVE
added 2021/09/03 12:0 a.m.147 views

CVE-2021-39191

CVE-2021-39191 affects mod_auth_openidc (Apache 2.x OpenID Connect RP). The 3rd‑party init SSO feature could open redirects by supplying a crafted URL in the target_link_uri parameter. A patch in version 2.4.9.4 adds required validation via the OIDCRedirectURLsAllowed setting on target_link_uri. ...

6.1CVSS5.3AI score0.0175EPSS
CVE
CVE
added 2021/05/20 1:15 a.m.144 views

CVE-2021-20718

The CVE-2021-20718 issue affects mod_auth_openidc versions 2.4.0 through 2.4.7, enabling a remote attacker to cause a denial-of-service (DoS) via unspecified vectors. Connected advisories indicate a fixed version (e.g., 2.4.8.x/2.4.8.4) has been released in some distributions (Fedora/Mageia Debia...

7.5CVSS7.2AI score0.03395EPSS
CVE
CVE
added 2022/12/14 5:22 p.m.139 views

CVE-2022-23527

CVE-2022-23527 affects mod_auth_openidc for Apache 2.x. Versions prior to 2.4.12.2 are vulnerable to an Open Redirect caused by improper validation in oidc_validate_redirect_url() for logout redirect URIs that may start with a tab (\t). The issue can be mitigated by upgrading to 2.4.12.2; if upgr...

6.1CVSS5.7AI score0.00905EPSS
CVE
CVE
added 2024/02/13 6:46 p.m.128 views

CVE-2024-24814

CVE-2024-24814 affects the mod_auth_openidc OpenID Connect Relying Party module for Apache 2.x. The issue arises from missing input validation on the mod_auth_openidc_session_chunks cookie, which can be manipulated to a very large value, causing the server to work hard, delay responses, and poten...

7.5CVSS7.4AI score0.01261EPSS
CVE
CVE
added 2019/07/19 2:13 p.m.103 views

CVE-2019-1010247

CVE-2019-1010247 – affected software and impact : ZmartZone IAM mod_auth_openidc (Apache module) versions 2.3.10.1 and earlier contain an XSS flaw in the OIDCRedirectURI page, where generated JavaScript uses a poll parameter as a string variable; this can lead to Criss-Site Scripting (XSS) and ma...

6.1CVSS6.1AI score0.01274EPSS
CVE
CVE
added 2017/04/12 8:0 p.m.80 views

CVE-2017-6059

CVE-2017-6059 affects the Ping Identity OpenID Connect module for Apache (mod_auth_openidc) prior to 2.14. The issue allows remote attackers to spoof page content by presenting a malicious URL that triggers an invalid request, due to improper handling within mod_auth_openidc.c. The vulnerability’...

7.5CVSS7.4AI score0.05177EPSS
CVE
CVE
added 2017/03/02 6:0 a.m.73 views

CVE-2017-6413

The vulnerability CVE-2017-6413 affects the OpenID Connect Relying Party and OAuth 2.0 Resource Server component (mod_auth_openidc) for Apache HTTP Server, where versions prior to 2.1.6 do not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an AuthType oauth20 configuration. This allows remote at...

8.6CVSS7.9AI score0.04253EPSS
CVE
CVE
added 2017/03/02 6:0 a.m.56 views

CVE-2017-6062

Summary (CVE-2017-6062): The Apache module mod_auth_openidc (OpenID Connect Relying Party/OAuth 2.0 Resource Server) prior to version 2.1.5 does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an OIDCUnAuthAction pass. This can allow remote attackers to bypass authentication via crafted HTTP ...

8.6CVSS7.9AI score0.03633EPSS