UBUNTU-CVE-2019-3877

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2019-3877

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-3877.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2019-3877

Related

Published

2019-03-22T00:00:00Z

Modified

2019-03-22T00:00:00Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

A vulnerability was found in modauthmellon before v0.14.2. An open redirect in the logout URL allows requests with backslashes to pass through by assuming that it is a relative URL, while the browsers silently convert backslash characters into forward slashes treating them as an absolute URL. This mismatch allows an attacker to bypass the redirect URL validation logic in apruriparse function.

References

Affected packages

Ubuntu:16.04:LTS / libapache2-mod-auth-mellon

Package

Name: libapache2-mod-auth-mellon
Purl: pkg:deb/ubuntu/libapache2-mod-auth-mellon?arch=src?distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.12.0-2+deb9u1build0.16.04.1

Affected versions

0.*

0.10.0-1

0.11.0-1

0.12.0-1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "0.12.0-2+deb9u1build0.16.04.1",
            "binary_name": "libapache2-mod-auth-mellon"
        },
        {
            "binary_version": "0.12.0-2+deb9u1build0.16.04.1",
            "binary_name": "libapache2-mod-auth-mellon-dbgsym"
        }
    ]
}

Ubuntu:18.04:LTS / libapache2-mod-auth-mellon

Package

Name: libapache2-mod-auth-mellon
Purl: pkg:deb/ubuntu/libapache2-mod-auth-mellon?arch=src?distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.13.1-1ubuntu0.1

Affected versions

0.*

0.13.1-1

0.13.1-1build1

0.13.1-1build2

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "0.13.1-1ubuntu0.1",
            "binary_name": "libapache2-mod-auth-mellon"
        },
        {
            "binary_version": "0.13.1-1ubuntu0.1",
            "binary_name": "libapache2-mod-auth-mellon-dbgsym"
        }
    ]
}

Ubuntu:20.04:LTS / libapache2-mod-auth-mellon

Package

Name: libapache2-mod-auth-mellon
Purl: pkg:deb/ubuntu/libapache2-mod-auth-mellon?arch=src?distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.14.2-1ubuntu1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "0.14.2-1ubuntu1",
            "binary_name": "libapache2-mod-auth-mellon"
        },
        {
            "binary_version": "0.14.2-1ubuntu1",
            "binary_name": "libapache2-mod-auth-mellon-dbgsym"
        }
    ]
}