Zmartzone Mod Auth Openidc vulnerabilities

CVE-2022-23527 [MEDIUM] CWE-601 CVE-2022-23527: mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Versions prior to 2.4.12.2 are vulnerable to Open Redirect. When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url() does not properly check for URLs that start with /\t, leading to an open r

CVE-2021-39191 [MEDIUM] CWE-601 CVE-2021-39191: mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that funct mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9.4, the 3rd-party init SSO functionality of mod_auth_openidc was reported to be vulnerable to an open redirect attack by supply

CVE-2021-32791 [MEDIUM] CWE-323 CVE-2021-32791: mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that funct mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, the AES GCM encryption in mod_auth_openidc uses a static IV and AAD. It is important to fix because this create

CVE-2021-32792 [LOW] CWE-79 CVE-2021-32792: mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that funct mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, there is an XSS vulnerability in when using `OIDCPreservePost On`.

CVE-2021-32785 [MEDIUM] CWE-134 CVE-2021-32785: mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that funct mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. When mod_auth_openidc versions prior to 2.4.9 are configured to use an unencrypted Redis cache (`OIDCCacheEncrypt off`, `OIDCSessionType server-cache`, `

CVE-2021-32786 [MEDIUM] CWE-601 CVE-2021-32786: mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that funct mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9, `oidc_validate_redirect_url()` does not parse URLs the same way as most browsers do. As a result, this function can be bypass

CVE-2021-20718 [HIGH] CWE-400 CVE-2021-20718: mod_auth_openidc 2.4.0 to 2.4.7 allows a remote attacker to cause a denial-of-service (DoS) conditio mod_auth_openidc 2.4.0 to 2.4.7 allows a remote attacker to cause a denial-of-service (DoS) condition via unspecified vectors.