CVE-2017-6059 — Improper Input Validation in MOD Auth Openidc

CWE-20 — Improper Input Validation10 documents7 sources

Severity

7.5HIGHNVD

EPSS

2.0%

top 16.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openidc MOD Auth Openidc

Timeline

PublishedApr 12

Latest updateMay 13

Description

Mod_auth_openidc.c in the Ping Identity OpenID Connect authentication module for Apache (aka mod_auth_openidc) before 2.14 allows remote attackers to spoof page content via a malicious URL provided to the user, which triggers an invalid request.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

▶NVDopenidc/mod_auth_openidc< 2.1.4

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-rpc9-4cjr-9wxx: Mod_auth_openidc↗2022-05-13

▶

CVEList

CVE-2017-6059: Mod_auth_openidc↗2017-04-12

▶

OSV

CVE-2017-6059: Mod_auth_openidc↗2017-04-12

▶

📋Vendor Advisories

Red Hat

chromium-browser: use-after-free in flash↗2018-03-06

▶

Red Hat

mod_auth_openidc: Shows user-supplied content on error pages↗2017-01-18

▶

Debian

CVE-2017-6059: libapache2-mod-auth-openidc - Mod_auth_openidc.c in the Ping Identity OpenID Connect authentication module for...↗2017

▶

💬Community

Bugzilla

CVE-2018-6059 chromium-browser: use-after-free in flash↗2018-03-07

▶

Bugzilla

CVE-2017-6059 CVE-2017-6062 CVE-2017-6413 mod_auth_openidc: various flaws [fedora-all]↗2017-02-21

▶

Bugzilla

CVE-2017-6059 mod_auth_openidc: Shows user-supplied content on error pages↗2017-02-21

▶