CVE-2019-13038 — Open Redirect in Auth Mellon Project MOD Auth Mellon

CWE-601 — Open Redirect9 documents8 sources

Severity

6.1MEDIUMNVD

EPSS

0.6%

top 31.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

MOD Auth Mellon Project MOD Auth Mellon Canonical Ubuntu Linux Fedoraproject Fedora +1 more

Timeline

PublishedJun 29

Latest updateMay 24

Description

mod_auth_mellon through 0.14.2 has an Open Redirect via the login?ReturnTo= substring, as demonstrated by omitting the // after http: in the target URL.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDmod_auth_mellon_project/mod_auth_mellon0.14.2

▶NVDoracle/zfs_storage_appliance_kit8.8

Also affects: Fedora 30, 31, Ubuntu Linux 18.04, 18.10

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-67h8-fxm4-vr72: mod_auth_mellon through 0↗2022-05-24

▶

OSV

CVE-2019-13038: mod_auth_mellon through 0↗2019-06-29

▶

CVEList

CVE-2019-13038: mod_auth_mellon through 0↗2019-06-29

▶

📋Vendor Advisories

Ubuntu

mod-auth-mellon vulnerability↗2020-02-24

▶

Red Hat

mod_auth_mellon: Open Redirect via the login?ReturnTo= substring which could facilitate information theft↗2019-06-20

▶

Debian

CVE-2019-13038: libapache2-mod-auth-mellon - mod_auth_mellon through 0.14.2 has an Open Redirect via the login?ReturnTo= subs...↗2019

▶

💬Community

Bugzilla

CVE-2019-13038 mod_auth_mellon: Open Redirect via the login?ReturnTo= substring which could facilitate information theft↗2019-07-01

▶

Bugzilla

CVE-2019-13038 mod_auth_mellon: an Open Redirect via the login?ReturnTo= substring which could facilitate information theft [fedora-all]↗2019-07-01

▶