CVE-2021-39191

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-39191

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-39191.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-39191

Aliases

GHSA-2pgf-8h6h-gqg2

Related

Published

2021-09-03T14:15:07Z

Modified

2024-09-18T03:15:48.649519Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

modauthopenidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9.4, the 3rd-party init SSO functionality of modauthopenidc was reported to be vulnerable to an open redirect attack by supplying a crafted URL in the target_link_uri parameter. A patch in version 2.4.9.4 made it so that the OIDCRedirectURLsAllowed setting must be applied to the target_link_uri parameter. There are no known workarounds aside from upgrading to a patched version.

References

Affected packages

Debian:11 / libapache2-mod-auth-openidc

Package

Name: libapache2-mod-auth-openidc
Purl: pkg:deb/debian/libapache2-mod-auth-openidc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.9.4-0+deb11u1

Affected versions

2.*

2.4.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / libapache2-mod-auth-openidc

Package

Name: libapache2-mod-auth-openidc
Purl: pkg:deb/debian/libapache2-mod-auth-openidc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.9.4-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / libapache2-mod-auth-openidc

Package

Name: libapache2-mod-auth-openidc
Purl: pkg:deb/debian/libapache2-mod-auth-openidc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.9.4-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/openidc/mod_auth_openidc

Affected ranges

Type: GIT
Repo: https://github.com/openidc/mod_auth_openidc
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

03e6bfb446f4e3f27c003d30d6a433e5dd8e2b3d

Affected versions

2.*

2.3.11rc1

v1.*

v1.5

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.5.5

v1.6.0

v1.7.0

v1.7.1

v1.7.2

v1.7.3

v1.8.0

v1.8.1

v1.8.10

v1.8.2

v1.8.3

v1.8.4

v1.8.5

v1.8.6

v1.8.7

v1.8.8

v1.8.9

v2.*

v2.0.0

v2.0.0rc1

v2.0.0rc4

v2.1.0

v2.1.1

v2.1.2

v2.1.3

v2.1.4

v2.1.5

v2.1.6

v2.2.0

v2.3.0

v2.3.0rc0

v2.3.0rc3

v2.3.1

v2.3.10

v2.3.10.1

v2.3.10.2

v2.3.11

v2.3.2

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.3.7

v2.3.8

v2.3.9

v2.4.0

v2.4.0.1

v2.4.0.2

v2.4.0.3

v2.4.0.4

v2.4.1

v2.4.2

v2.4.2.1

v2.4.3

v2.4.4

v2.4.4.1

v2.4.5

v2.4.6

v2.4.7

v2.4.7.1

v2.4.7.2

v2.4.8.1

v2.4.8.2

v2.4.8.3

v2.4.8.4

v2.4.9

v2.4.9.1

v2.4.9.2

v2.4.9.3