CVE-2019-3878

CWE-305CWE-287Improper Authentication12 documents8 sources
Severity
8.1HIGH
EPSS
2.0%
top 16.30%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
11
MOD Auth Mellon Project MOD Auth MellonUninett MOD Auth MellonCanonical Ubuntu Linux+8 more
Timeline
PublishedMar 26
Latest updateMay 14

Description

A vulnerability was found in mod_auth_mellon before v0.14.2. If Apache is configured as a reverse proxy and mod_auth_mellon is configured to only let through authenticated users (with the require valid-user directive), adding special HTTP headers that are normally used to start the special SAML ECP (non-browser based) can be used to bypass authentication.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages7 packages

Debianlibapache2-mod-auth-mellon< 0.14.2-1+3
Ubuntulibapache2-mod-auth-mellon< 0.13.1-1ubuntu0.1
CVEListV5uninett/mod_auth_mellonbefore v0.14.2

Also affects: Fedora 29, 30, Ubuntu Linux 18.04, 18.10, Enterprise Linux 7.0, 7.6

Patches

Patch: bugzilla.redhat.comPatch: github.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

5
GHSA
GHSA-6gx9-985p-w8c8: A vulnerability was found in mod_auth_mellon before v02022-05-14
OSV
libapache2-mod-auth-mellon vulnerabilities2020-10-22
OSV
libapache2-mod-auth-mellon vulnerabilities2019-03-28
OSV
CVE-2019-3878: A vulnerability was found in mod_auth_mellon before v02019-03-26
CVEList
CVE-2019-3878: A vulnerability was found in mod_auth_mellon before v02019-03-26

📋Vendor Advisories

4
Ubuntu
mod_auth_mellon vulnerabilities2020-10-22
Ubuntu
mod_auth_mellon vulnerabilities2019-03-28
Debian
CVE-2019-3878: libapache2-mod-auth-mellon - A vulnerability was found in mod_auth_mellon before v0.14.2. If Apache is config...2019
Red Hat
mod_auth_mellon: authentication bypass in ECP flow2018-05-10

💬Community

2
Bugzilla
CVE-2019-3878 mod_auth_mellon: authentication bypass in ECP flow [fedora-all]2019-03-20
Bugzilla
CVE-2019-3878 mod_auth_mellon: authentication bypass in ECP flow2019-03-20
CVE-2019-3878 (HIGH CVSS 8.1) | A vulnerability was found in mod_au | cvebase.io