CVE-2023-28625

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-28625
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-28625.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-28625
Aliases
  • GHSA-f5xw-rvfr-24qr
Downstream
Related
Published
2023-04-03T13:19:40Z
Modified
2025-10-22T18:36:30.385187Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
mod_auth_openidc core dump when OIDCStripCookies is set and an empty Cookie header is supplied
Details

modauthopenidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when OIDCStripCookies is set and a crafted cookie supplied, a NULL pointer dereference would occur, resulting in a segmentation fault. This could be used in a Denial-of-Service attack and thus presents an availability risk. Version 2.4.13.2 contains a patch for this issue. As a workaround, avoid using OIDCStripCookies.

Database specific 
{
    "cwe_ids": [
        "CWE-476"
    ]
}
References

Affected packages

Git / github.com/openidc/mod_auth_openidc

Affected ranges

Type
GIT
Repo
https://github.com/openidc/mod_auth_openidc
Events
Introduced
4fe40bd8bed0c7697f4fb2c3733d02d472cb849e
Fixed
3f11976dab56af0a46a7dddb7a275cc16d6eb726

Affected versions

2.*

2.3.11rc1

v2.*

v2.0.0
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.2.0
v2.3.0
v2.3.0rc0
v2.3.0rc3
v2.3.1
v2.3.10
v2.3.10.1
v2.3.10.2
v2.3.11
v2.3.2
v2.3.3
v2.3.4
v2.3.5
v2.3.6
v2.3.7
v2.3.8
v2.3.9
v2.4.0
v2.4.0.1
v2.4.0.2
v2.4.0.3
v2.4.0.4
v2.4.1
v2.4.10
v2.4.11
v2.4.11.1
v2.4.11.2
v2.4.11.3
v2.4.12
v2.4.12.1
v2.4.12.2
v2.4.12.3
v2.4.13
v2.4.13.1
v2.4.2
v2.4.2.1
v2.4.3
v2.4.4
v2.4.4.1
v2.4.5
v2.4.6
v2.4.7
v2.4.7.1
v2.4.7.2
v2.4.8.1
v2.4.8.2
v2.4.8.3
v2.4.8.4
v2.4.9
v2.4.9.1
v2.4.9.2
v2.4.9.3
v2.4.9.4