6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
54.6%
mod_auth_openidc is an authentication/authorization module for the Apache
2.x HTTP server that functions as an OpenID Connect Relying Party,
authenticating users against an OpenID Connect Provider. In versions prior
to 2.4.9, oidc_validate_redirect_url()
does not parse URLs the same way
as most browsers do. As a result, this function can be bypassed and leads
to an Open Redirect vulnerability in the logout functionality. This bug has
been fixed in version 2.4.9 by replacing any backslash of the URL to
redirect with slashes to address a particular breaking change between the
different specifications (RFC2396 / RFC3986 and WHATWG). As a workaround,
this vulnerability can be mitigated by configuring mod_auth_openidc
to
only allow redirection whose destination matches a given regular
expression.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 16.04 | noarch | libapache2-mod-auth-openidc | < any | UNKNOWN |
daniel.haxx.se/blog/2017/01/30/one-url-standard-please/
github.com/zmartzone/mod_auth_openidc/commit/3a115484eb927bc6daa5737dd84f88ff4bbc5544
github.com/zmartzone/mod_auth_openidc/commit/3a115484eb927bc6daa5737dd84f88ff4bbc5544 (v2.4.9)
github.com/zmartzone/mod_auth_openidc/releases/tag/v2.4.9
github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-xm4c-5wm5-jqv7
launchpad.net/bugs/cve/CVE-2021-32786
nvd.nist.gov/vuln/detail/CVE-2021-32786
security-tracker.debian.org/tracker/CVE-2021-32786
www.cve.org/CVERecord?id=CVE-2021-32786
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
54.6%