CVE-2021-32786

CWE-601 — Open Redirect6 documents6 sources

Severity

6.1MEDIUM

EPSS

0.1%

top 74.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zmartzone MOD Auth Openidc Openidc MOD Auth Openidc Fedoraproject Fedora

Timeline

PublishedJul 22

Description

mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9, `oidc_validate_redirect_url()` does not parse URLs the same way as most browsers do. As a result, this function can be bypassed and leads to an Open Redirect vulnerability in the logout functionality. This bug has been fixed in version 2.4.9 by replacing any backslash of th…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶Debianlibapache2-mod-auth-openidc< 2.4.9-1+3

▶NVDopenidc/mod_auth_openidc< 2.4.9

▶CVEListV5zmartzone/mod_auth_openidc< 2.4.9

Also affects: Fedora 33, 34

Patches

Patch: github.com ↗Patch: www.oracle.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2021-32786: mod_auth_openidc is an authentication/authorization module for the Apache 2↗2021-07-22

▶

CVEList

Open Redirect in oidc_validate_redirect_url()↗2021-07-22

▶

📋Vendor Advisories

Red Hat

mod_auth_openidc: open redirect in oidc_validate_redirect_url()↗2021-07-22

▶

Microsoft

Open Redirect in oidc_validate_redirect_url()↗2021-07-13

▶

Debian

CVE-2021-32786: libapache2-mod-auth-openidc - mod_auth_openidc is an authentication/authorization module for the Apache 2.x HT...↗2021

▶