Mod Auth Openidc Mod Auth Openidc

Do you want an email whenever new security vulnerabilities are reported in Mod Auth Openidc?

By the Year

In 2024 there have been 0 vulnerabilities in Mod Auth Openidc . Last year Mod Auth Openidc had 1 security vulnerability published. Right now, Mod Auth Openidc is on track to have less security vulnerabilities in 2024 than it did last year.

Year Vulnerabilities Average Score
2024 0 0.00
2023 1 7.50
2022 1 6.10
2021 2 6.80
2020 1 6.10
2019 2 6.10
2018 0 0.00

It may take a day or so for new Mod Auth Openidc vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Mod Auth Openidc Security Vulnerabilities

mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server

CVE-2023-28625 7.5 - High - April 03, 2023

mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when `OIDCStripCookies` is set and a crafted cookie supplied, a NULL pointer dereference would occur, resulting in a segmentation fault. This could be used in a Denial-of-Service attack and thus presents an availability risk. Version 2.4.13.2 contains a patch for this issue. As a workaround, avoid using `OIDCStripCookies`.

mod_auth_openidc is an OpenID Certified authentication and authorization module for the Apache 2.x HTTP server

CVE-2022-23527 6.1 - Medium - December 14, 2022

mod_auth_openidc is an OpenID Certified authentication and authorization module for the Apache 2.x HTTP server. Versions prior to 2.4.12.2 are vulnerable to Open Redirect. When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url() does not properly check for URLs that start with /\t, leading to an open redirect. This issue has been patched in version 2.4.12.2. Users unable to upgrade can mitigate the issue by configuring mod_auth_openidc to only allow redirection when the destination matches a given regular expression with OIDCRedirectURLsAllowed.

Open Redirect

mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server

CVE-2021-39191 6.1 - Medium - September 03, 2021

mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9.4, the 3rd-party init SSO functionality of mod_auth_openidc was reported to be vulnerable to an open redirect attack by supplying a crafted URL in the `target_link_uri` parameter. A patch in version 2.4.9.4 made it so that the `OIDCRedirectURLsAllowed` setting must be applied to the `target_link_uri` parameter. There are no known workarounds aside from upgrading to a patched version.

Open Redirect

mod_auth_openidc 2.4.0 to 2.4.7

CVE-2021-20718 7.5 - High - May 20, 2021

mod_auth_openidc 2.4.0 to 2.4.7 allows a remote attacker to cause a denial-of-service (DoS) condition via unspecified vectors.

Resource Exhaustion

A flaw was found in mod_auth_openidc before version 2.4.1

CVE-2019-20479 6.1 - Medium - February 20, 2020

A flaw was found in mod_auth_openidc before version 2.4.1. An open redirect issue exists in URLs with a slash and backslash at the beginning.

Open Redirect

A flaw was found in mod_auth_openidc before version 2.4.0.1

CVE-2019-14857 6.1 - Medium - November 26, 2019

A flaw was found in mod_auth_openidc before version 2.4.0.1. An open redirect issue exists in URLs with trailing slashes similar to CVE-2019-3877 in mod_auth_mellon.

Open Redirect

ZmartZone IAM mod_auth_openidc 2.3.10.1 and earlier is affected by: Cross Site Scripting (XSS)

CVE-2019-1010247 6.1 - Medium - July 19, 2019

ZmartZone IAM mod_auth_openidc 2.3.10.1 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Redirecting the user to a phishing page or interacting with the application on behalf of the user. The component is: File: src/mod_auth_openidc.c, Line: 3109. The fixed version is: 2.3.10.2.

XSS

Mod_auth_openidc.c in the Ping Identity OpenID Connect authentication module for Apache (aka mod_auth_openidc) before 2.14

CVE-2017-6059 7.5 - High - April 12, 2017

Mod_auth_openidc.c in the Ping Identity OpenID Connect authentication module for Apache (aka mod_auth_openidc) before 2.14 allows remote attackers to spoof page content via a malicious URL provided to the user, which triggers an invalid request.

Improper Input Validation

The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "AuthType oauth20" configuration, which

CVE-2017-6413 8.6 - High - March 02, 2017

The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "AuthType oauth20" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic.

authentification

The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.5 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "OIDCUnAuthAction pass" configuration, which

CVE-2017-6062 8.6 - High - March 02, 2017

The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.5 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "OIDCUnAuthAction pass" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic.

authentification

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Mod Auth Openidc or by Openidc? Click the Watch button to subscribe.

Openidc
Vendor

subscribe