CVE-2023-28625

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-28625
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-28625.json
Aliases
  • GHSA-f5xw-rvfr-24qr
Related
Published
2023-04-03T14:15:07Z
Modified
2023-11-29T10:03:31.716280Z
Details

modauthopenidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when OIDCStripCookies is set and a crafted cookie supplied, a NULL pointer dereference would occur, resulting in a segmentation fault. This could be used in a Denial-of-Service attack and thus presents an availability risk. Version 2.4.13.2 contains a patch for this issue. As a workaround, avoid using OIDCStripCookies.

References

Affected packages

Git / github.com/OpenIDC/mod_auth_openidc

Affected ranges

Type
GIT
Repo
https://github.com/OpenIDC/mod_auth_openidc
Events
Introduced
0The exact introduced commit is unknown
Fixed
c0e1edac3c4c19988ccdc7713d7aebfce6ff916a
Type
GIT
Repo
https://github.com/openidc/mod_auth_openidc
Events
Introduced
4fe40bd8bed0c7697f4fb2c3733d02d472cb849e
Fixed
3f11976dab56af0a46a7dddb7a275cc16d6eb726

Affected versions

2.*

2.3.11rc1

v1.*

v1.5
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.6.0
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.8.0
v1.8.1
v1.8.10
v1.8.2
v1.8.3
v1.8.4
v1.8.5
v1.8.6
v1.8.7
v1.8.8
v1.8.9

v2.*

v2.0.0
v2.0.0rc1
v2.0.0rc4
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.2.0
v2.3.0
v2.3.0rc0
v2.3.0rc3
v2.3.1
v2.3.10
v2.3.10.1
v2.3.10.2
v2.3.11
v2.3.2
v2.3.3
v2.3.4
v2.3.5
v2.3.6
v2.3.7
v2.3.8
v2.3.9
v2.4.0
v2.4.0.1
v2.4.0.2
v2.4.0.3
v2.4.0.4
v2.4.1
v2.4.10
v2.4.11
v2.4.11.1
v2.4.11.2
v2.4.11.3
v2.4.12
v2.4.12.1
v2.4.12.2
v2.4.12.3
v2.4.13
v2.4.13.1
v2.4.2
v2.4.2.1
v2.4.3
v2.4.4
v2.4.4.1
v2.4.5
v2.4.6
v2.4.7
v2.4.7.1
v2.4.7.2
v2.4.8.1
v2.4.8.2
v2.4.8.3
v2.4.8.4
v2.4.9
v2.4.9.1
v2.4.9.2
v2.4.9.3
v2.4.9.4