Описание
ELSA-2025-3997: mod_auth_openidc:2.3 security update (IMPORTANT)
cjose mod_auth_openidc [2.4.9.4-7]
- Resolves: RHEL-86218 - mod_auth_openidc allows OIDCProviderAuthRequestMethod POSTs to leak protected data (CVE-2025-31492)
Обновленные пакеты
Oracle Linux 8
Oracle Linux aarch64
Module mod_auth_openidc:2.3 is enabled
cjose
0.6.1-4.module+el8.10.0+90549+7b4eddfc
cjose-devel
0.6.1-4.module+el8.10.0+90549+7b4eddfc
mod_auth_openidc
2.4.9.4-7.module+el8.10.0+90549+7b4eddfc
Oracle Linux x86_64
Module mod_auth_openidc:2.3 is enabled
cjose
0.6.1-4.module+el8.10.0+90549+7b4eddfc
cjose-devel
0.6.1-4.module+el8.10.0+90549+7b4eddfc
mod_auth_openidc
2.4.9.4-7.module+el8.10.0+90549+7b4eddfc
Связанные CVE
Связанные уязвимости
mod_auth_openidc is an OpenID Certified authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. Prior to 2.4.16.11, a bug in a mod_auth_openidc results in disclosure of protected content to unauthenticated users. The conditions for disclosure are an OIDCProviderAuthRequestMethod POST, a valid account, and there mustn't be any application-level gateway (or load balancer etc) protecting the server. When you request a protected resource, the response includes the HTTP status, the HTTP headers, the intended response (the self-submitting form), and the protected resource (with no headers). This is an example of a request for a protected resource, including all the data returned. In the case where mod_auth_openidc returns a form, it has to return OK from check_userid so as not to go down the error path in httpd. This means httpd will try to issue the protected resource. oidc_content_handler is called early, whi...
mod_auth_openidc is an OpenID Certified authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. Prior to 2.4.16.11, a bug in a mod_auth_openidc results in disclosure of protected content to unauthenticated users. The conditions for disclosure are an OIDCProviderAuthRequestMethod POST, a valid account, and there mustn't be any application-level gateway (or load balancer etc) protecting the server. When you request a protected resource, the response includes the HTTP status, the HTTP headers, the intended response (the self-submitting form), and the protected resource (with no headers). This is an example of a request for a protected resource, including all the data returned. In the case where mod_auth_openidc returns a form, it has to return OK from check_userid so as not to go down the error path in httpd. This means httpd will try to issue the protected resource. oidc_content_handler is called early, whi...
mod_auth_openidc is an OpenID Certified authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. Prior to 2.4.16.11, a bug in a mod_auth_openidc results in disclosure of protected content to unauthenticated users. The conditions for disclosure are an OIDCProviderAuthRequestMethod POST, a valid account, and there mustn't be any application-level gateway (or load balancer etc) protecting the server. When you request a protected resource, the response includes the HTTP status, the HTTP headers, the intended response (the self-submitting form), and the protected resource (with no headers). This is an example of a request for a protected resource, including all the data returned. In the case where mod_auth_openidc returns a form, it has to return OK from check_userid so as not to go down the error path in httpd. This means httpd will try to issue the protected resource. oidc_content_handler is called early, which
mod_auth_openidc is an OpenID Certified authentication and authorizati ...
