CVE-2017-6062
- Source
- https://cve.org/CVERecord?id=CVE-2017-6062
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-6062.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2017-6062
- Downstream
- Published
- 2017-03-02T06:59:00.230Z
- Modified
- 2025-11-20T10:42:09.966855Z
- Severity
-
- 8.6 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka modauthopenidc) module before 2.1.5 for the Apache HTTP Server does not skip OIDCCLAIM and OIDCAuthNHeader headers in an "OIDCUnAuthAction pass" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic.
- References
-
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V3HIGXMUKJGOBMAQAQPGC7G5YYWSUVA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EJXBG3DG2FUYFGTUTSJFMPIINVFKKB4Z/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTWUMQ46GZY3O4WU4JCF333LN53R2XQH/
- https://github.com/pingidentity/mod_auth_openidc/blob/master/ChangeLog
- https://github.com/pingidentity/mod_auth_openidc/issues/222
- https://github.com/pingidentity/mod_auth_openidc/releases/tag/v2.1.5
Affected packages
Git / github.com/openidc/mod_auth_openidc
Affected ranges
- Type
- GIT
- Repo
- https://github.com/openidc/mod_auth_openidc
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v1.*
v1.5
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.6.0
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.8.0
v1.8.1
v1.8.10
v1.8.2
v1.8.3
v1.8.4
v1.8.5
v1.8.6
v1.8.7
v1.8.8
v1.8.9
v2.*
v2.0.0
v2.0.0rc1
v2.0.0rc4
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-6062.json"
vanir_signatures
[
{
"source": "https://github.com/openidc/mod_auth_openidc/commit/e81822a7d5f5bdf04ba03ca92680821893303850",
"digest": {
"line_hashes": [
"324389110975062152997128778931728905211",
"152318813777326227190711828689954873884",
"121968274078813223348073188492985639520",
"195878975772069471775001186274537783816",
"14068290540346082033104791455712297064",
"110055679037368288760605636742227139861",
"111294165517741646199017371710611676395",
"278945173429800584441645734551228449926",
"142421153620309442185703083496499538401",
"236743154285405913172971894557261355266",
"143690780221429256596881591379080579095",
"83774172051446986695428302243052929936",
"117984124392778747583104912066583298362",
"173927667228971011105139773653306542747",
"286862810251338442830903801741102728729",
"130566670204652639318084985979800826271",
"329389427395940680308013088225565378365",
"145764464254468082961938229952210584802"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "src/mod_auth_openidc.c"
},
"id": "CVE-2017-6062-52ab9169"
},
{
"source": "https://github.com/openidc/mod_auth_openidc/commit/e81822a7d5f5bdf04ba03ca92680821893303850",
"digest": {
"length": 1680.0,
"function_hash": "23087062502499850250068183479776194754"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"file": "src/mod_auth_openidc.c",
"function": "oidc_check_userid_openidc"
},
"id": "CVE-2017-6062-77543a8e"
},
{
"source": "https://github.com/openidc/mod_auth_openidc/commit/e81822a7d5f5bdf04ba03ca92680821893303850",
"digest": {
"length": 2785.0,
"function_hash": "301378486185075427509235490601443248735"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"file": "src/mod_auth_openidc.c",
"function": "oidc_handle_existing_session"
},
"id": "CVE-2017-6062-c9ad601c"
}
]