CVE-2021-32791

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-32791

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-32791.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-32791

Aliases

GHSA-px3c-6x7j-3r9r

Related

Published

2021-07-26T17:15:08Z

Modified

2024-09-18T03:15:44.809856Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

modauthopenidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In modauthopenidc before version 2.4.9, the AES GCM encryption in modauthopenidc uses a static IV and AAD. It is important to fix because this creates a static nonce and since aes-gcm is a stream cipher, this can lead to known cryptographic issues, since the same key is being reused. From 2.4.9 onwards this has been patched to use dynamic values through usage of cjose AES encryption routines.

References

Affected packages

Debian:11 / libapache2-mod-auth-openidc

Package

Name: libapache2-mod-auth-openidc
Purl: pkg:deb/debian/libapache2-mod-auth-openidc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / libapache2-mod-auth-openidc

Package

Name: libapache2-mod-auth-openidc
Purl: pkg:deb/debian/libapache2-mod-auth-openidc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / libapache2-mod-auth-openidc

Package

Name: libapache2-mod-auth-openidc
Purl: pkg:deb/debian/libapache2-mod-auth-openidc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/apache/httpd

Affected ranges

Type: GIT
Repo: https://github.com/apache/httpd
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

7ea253ccfeaec99b5684c909dce6d9a6d7ee6486

Type: GIT
Repo: https://github.com/openidc/mod_auth_openidc
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

375407c16c61a70b56fdbe13b0d2c8f11398e92c

Affected versions

2.*

2.3.11rc1

v1.*

v1.5

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.5.5

v1.6.0

v1.7.0

v1.7.1

v1.7.2

v1.7.3

v1.8.0

v1.8.1

v1.8.10

v1.8.2

v1.8.3

v1.8.4

v1.8.5

v1.8.6

v1.8.7

v1.8.8

v1.8.9

v2.*

v2.0.0

v2.0.0rc1

v2.0.0rc4

v2.1.0

v2.1.1

v2.1.2

v2.1.3

v2.1.4

v2.1.5

v2.1.6

v2.2.0

v2.3.0

v2.3.0rc0

v2.3.0rc3

v2.3.1

v2.3.10

v2.3.10.1

v2.3.10.2

v2.3.11

v2.3.2

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.3.7

v2.3.8

v2.3.9

v2.4.0

v2.4.0.1

v2.4.0.2

v2.4.0.3

v2.4.0.4

v2.4.1

v2.4.2

v2.4.2.1

v2.4.3

v2.4.4

v2.4.4.1

v2.4.5

v2.4.6

v2.4.7

v2.4.7.1

v2.4.7.2

v2.4.8.1

v2.4.8.2

v2.4.8.3

v2.4.8.4