Описание
ELSA-2019-2112: mod_auth_openidc security update (MODERATE)
[1.8.8-5]
- Resolves: rhbz#1626297 - CVE-2017-6413 mod_auth_openidc: OIDC_CLAIM and OIDCAuthNHeader not skipped in an 'AuthType oauth20' configuration [rhel-7]
[1.8.8-4]
- Resolves: rhbz#1626299 - CVE-2017-6059 mod_auth_openidc: Shows user-supplied content on error pages [rhel-7]
Обновленные пакеты
Oracle Linux 7
Oracle Linux aarch64
mod_auth_openidc
1.8.8-5.el7
Oracle Linux x86_64
mod_auth_openidc
1.8.8-5.el7
Связанные CVE
Связанные уязвимости
The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "AuthType oauth20" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic.
The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "AuthType oauth20" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic.
The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "AuthType oauth20" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic.
The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka ...
Mod_auth_openidc.c in the Ping Identity OpenID Connect authentication module for Apache (aka mod_auth_openidc) before 2.14 allows remote attackers to spoof page content via a malicious URL provided to the user, which triggers an invalid request.