CVE-2023-28625

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-28625
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-28625.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-28625
Aliases
  • GHSA-f5xw-rvfr-24qr
Related
Published
2023-04-03T14:15:07Z
Modified
2024-09-18T03:23:25.538883Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

modauthopenidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when OIDCStripCookies is set and a crafted cookie supplied, a NULL pointer dereference would occur, resulting in a segmentation fault. This could be used in a Denial-of-Service attack and thus presents an availability risk. Version 2.4.13.2 contains a patch for this issue. As a workaround, avoid using OIDCStripCookies.

References

Affected packages

Debian:11 / libapache2-mod-auth-openidc

Package

Name
libapache2-mod-auth-openidc
Purl
pkg:deb/debian/libapache2-mod-auth-openidc?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.4.9.4-0+deb11u3

Affected versions

2.*

2.4.9-1
2.4.9.4-0+deb11u1
2.4.9.4-0+deb11u2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / libapache2-mod-auth-openidc

Package

Name
libapache2-mod-auth-openidc
Purl
pkg:deb/debian/libapache2-mod-auth-openidc?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.4.12.3-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / libapache2-mod-auth-openidc

Package

Name
libapache2-mod-auth-openidc
Purl
pkg:deb/debian/libapache2-mod-auth-openidc?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.4.12.3-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/openidc/mod_auth_openidc

Affected ranges

Type
GIT
Repo
https://github.com/openidc/mod_auth_openidc
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

2.*

2.3.11rc1

v1.*

v1.5
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.6.0
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.8.0
v1.8.1
v1.8.10
v1.8.2
v1.8.3
v1.8.4
v1.8.5
v1.8.6
v1.8.7
v1.8.8
v1.8.9

v2.*

v2.0.0
v2.0.0rc1
v2.0.0rc4
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.2.0
v2.3.0
v2.3.0rc0
v2.3.0rc3
v2.3.1
v2.3.10
v2.3.10.1
v2.3.10.2
v2.3.11
v2.3.2
v2.3.3
v2.3.4
v2.3.5
v2.3.6
v2.3.7
v2.3.8
v2.3.9
v2.4.0
v2.4.0.1
v2.4.0.2
v2.4.0.3
v2.4.0.4
v2.4.1
v2.4.10
v2.4.11
v2.4.11.1
v2.4.11.2
v2.4.11.3
v2.4.12
v2.4.12.1
v2.4.12.2
v2.4.12.3
v2.4.13
v2.4.13.1
v2.4.2
v2.4.2.1
v2.4.3
v2.4.4
v2.4.4.1
v2.4.5
v2.4.6
v2.4.7
v2.4.7.1
v2.4.7.2
v2.4.8.1
v2.4.8.2
v2.4.8.3
v2.4.8.4
v2.4.9
v2.4.9.1
v2.4.9.2
v2.4.9.3
v2.4.9.4