CVE-2021-32786 Information
Share on:Description
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9 oidc_validate_redirect_url()
does not parse URLs the same way as most browsers do. As a result this function can be bypassed and leads to an Open Redirect vulnerability in the logout functionality. This bug has been fixed in version 2.4.9 by replacing any backslash of the URL to redirect with slashes to address a particular breaking change between the different specifications (RFC2396 / RFC3986 and WHATWG). As a workaround this vulnerability can be mitigated by configuring mod_auth_openidc
to only allow redirection whose destination matches a given regular expression.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Reference
https://daniel.haxx.se/blog/2017/01/30/one-url-standard-please/
https://daniel.haxx.se/blog/2017/01/30/one-url-standard-please/
https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.4.9
https://github.com/zmartzone/mod_auth_openidc/commit/3a115484eb927bc6daa5737dd84f88ff4bbc5544
https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-xm4c-5wm5-jqv7
https://lists.fedoraproject.org/archives/list/[email protected]/message/QXAWKPT5LXZSUTFSJ6IWSZC7RMYYQXQD/
https://lists.fedoraproject.org/archives/list/[email protected]/message/FZVF6BSJLRQZ7PFFR4X5JSU6KUJYNOCU/
https://security.netapp.com/advisory/ntap-20210902-0001/
https://www.oracle.com/security-alerts/cpuapr2022.html
mod_auth_openidc
is
an
authentication/authorization
module
for
the
Apache
2.x
HTTP
server
that
functions
as
an
OpenID
Connect
Relying
Party
authenticating
users
against
an
OpenID
Connect
Provider.
In
versions
prior
to
2.4.9
oidc_validate_redirect_url()
does
not
parse
URLs
the
same
way
as
most
browsers
do.
As
a
result
this
function
can
be
bypassed
and
leads
to
an
Open
Redirect
vulnerability
in
the
logout
functionality.
This
bug
has
been
fixed
in
version
2.4.9
by
replacing
any
backslash
of
the
URL
to
redirect
with
slashes
to
address
a
particular
breaking
change
between
the
different
specifications
(RFC2396
/
RFC3986
and
WHATWG).
As
a
workaround
this
vulnerability
can
be
mitigated
by
configuring
mod_auth_openidc
to
only
allow
redirection
whose
destination
matches
a
given
regular
expression.
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
REQUIRED
Confidentiality Impact
CHANGED
Integrity Impact
LOW
Availability Impact
LOW
Base Score
NONE
Base Severity
6.1