Openidc Mod Auth Openidc vulnerabilities

CVE-2025-31492 [HIGH] CWE-200 CVE-2025-31492: mod_auth_openidc is an OpenID Certified authentication and authorization module for the Apache 2.x H mod_auth_openidc is an OpenID Certified authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. Prior to 2.4.16.11, a bug in a mod_auth_openidc results in disclosure of protected content to unauthenticated users. The conditions for disclosure are an OIDCProviderAuthRequestM

CVE-2024-24814 [HIGH] CWE-400 CVE-2024-24814: mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In affected versions missing input validation on mod_auth_openidc_session_chunks cookie value makes the server vulnerable to a denial of service (DoS) attack. An internal securit

CVE-2023-28625 [HIGH] CWE-476 CVE-2023-28625: mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that i mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when `OIDCStripCookies` is set and a crafted cookie supplied, a NULL pointer dereference would occur, resulting in a segmentation fault. This could be used in

CVE-2022-23527 [MEDIUM] CWE-601 CVE-2022-23527: mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Versions prior to 2.4.12.2 are vulnerable to Open Redirect. When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url() does not properly check for URLs that start with /\t, leading to an open r

CVE-2021-39191 [MEDIUM] CWE-601 CVE-2021-39191: mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that funct mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9.4, the 3rd-party init SSO functionality of mod_auth_openidc was reported to be vulnerable to an open redirect attack by supply

CVE-2021-32791 [MEDIUM] CWE-323 CVE-2021-32791: mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that funct mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, the AES GCM encryption in mod_auth_openidc uses a static IV and AAD. It is important to fix because this create

CVE-2021-32792 [LOW] CWE-79 CVE-2021-32792: mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that funct mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, there is an XSS vulnerability in when using `OIDCPreservePost On`.

CVE-2021-32785 [MEDIUM] CWE-134 CVE-2021-32785: mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that funct mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. When mod_auth_openidc versions prior to 2.4.9 are configured to use an unencrypted Redis cache (`OIDCCacheEncrypt off`, `OIDCSessionType server-cache`, `

CVE-2021-32786 [MEDIUM] CWE-601 CVE-2021-32786: mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that funct mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9, `oidc_validate_redirect_url()` does not parse URLs the same way as most browsers do. As a result, this function can be bypass

CVE-2021-20718 [HIGH] CWE-400 CVE-2021-20718: mod_auth_openidc 2.4.0 to 2.4.7 allows a remote attacker to cause a denial-of-service (DoS) conditio mod_auth_openidc 2.4.0 to 2.4.7 allows a remote attacker to cause a denial-of-service (DoS) condition via unspecified vectors.

CVE-2019-20479 [MEDIUM] CWE-601 CVE-2019-20479: A flaw was found in mod_auth_openidc before version 2.4.1. An open redirect issue exists in URLs wit A flaw was found in mod_auth_openidc before version 2.4.1. An open redirect issue exists in URLs with a slash and backslash at the beginning.

CVE-2019-14857 [MEDIUM] CWE-601 CVE-2019-14857: A flaw was found in mod_auth_openidc before version 2.4.0.1. An open redirect issue exists in URLs w A flaw was found in mod_auth_openidc before version 2.4.0.1. An open redirect issue exists in URLs with trailing slashes similar to CVE-2019-3877 in mod_auth_mellon.

CVE-2019-1010247 [MEDIUM] CWE-79 CVE-2019-1010247: ZmartZone IAM mod_auth_openidc 2.3.10.1 and earlier is affected by: Cross Site Scripting (XSS). The ZmartZone IAM mod_auth_openidc 2.3.10.1 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Redirecting the user to a phishing page or interacting with the application on behalf of the user. The component is: File: src/mod_auth_openidc.c, Line: 3109. The fixed version is: 2.3.10.2.

CVE-2017-6059 [HIGH] CWE-20 CVE-2017-6059: Mod_auth_openidc.c in the Ping Identity OpenID Connect authentication module for Apache (aka mod_aut Mod_auth_openidc.c in the Ping Identity OpenID Connect authentication module for Apache (aka mod_auth_openidc) before 2.14 allows remote attackers to spoof page content via a malicious URL provided to the user, which triggers an invalid request.

CVE-2017-6413 [HIGH] CWE-287 CVE-2017-6413: The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module befor The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "AuthType oauth20" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic.

CVE-2017-6062 [HIGH] CWE-287 CVE-2017-6062: The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module befor The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.5 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "OIDCUnAuthAction pass" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic.