CVE-2019-3877 — Open Redirect in Auth Mellon Project MOD Auth Mellon
Severity
6.1MEDIUMNVD
CNA5.8
EPSS
0.8%
top 25.72%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 27
Latest updateMay 14
Description
A vulnerability was found in mod_auth_mellon before v0.14.2. An open redirect in the logout URL allows requests with backslashes to pass through by assuming that it is a relative URL, while the browsers silently convert backslash characters into forward slashes treating them as an absolute URL. This mismatch allows an attacker to bypass the redirect URL validation logic in apr_uri_parse function.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7
Affected Packages2 packages
Also affects: Fedora 29, Ubuntu Linux 18.04, 18.10, Enterprise Linux 7.0
Patches
🔴Vulnerability Details
5📋Vendor Advisories
5Red Hat
▶
Debian▶
CVE-2019-3877: libapache2-mod-auth-mellon - A vulnerability was found in mod_auth_mellon before v0.14.2. An open redirect in...↗2019
💬Community
3Bugzilla▶
CVE-2019-14857 mod_auth_openidc: Open redirect in logout url when using URLs with leading slashes↗2019-10-10
Bugzilla▶
CVE-2019-3877 mod_auth_mellon: open redirect in logout url when using URLs with backslashes [fedora-all]↗2019-03-22
Bugzilla▶
CVE-2019-3877 mod_auth_mellon: open redirect in logout url when using URLs with backslashes↗2019-03-20