Описание
A flaw was found in mod_auth_openidc before version 2.4.1. An open redirect issue exists in URLs with a slash and backslash at the beginning.
An open redirect flaw was discovered in mod_auth_openidc where it handles logout redirection. The module does not correctly validate the URL, allowing a URL with slash and backslash at the beginning to bypass the protection checks. A victim user may be tricked into visiting a trusted vulnerable web site, which would redirect him to another, possibly malicious, URL.
Отчет
It is not possible to reproduce the open redirect vulnerability in the versions of mod_auth_openidc as shipped in Red Hat Enterprise Linux 7, as a missing check makes the process crash, due to a NULL pointer dereference, instead of letting it continue with an invalid URL.
Дополнительная информация
Статус:
EPSS
6.1 Medium
CVSS3
Связанные уязвимости
A flaw was found in mod_auth_openidc before version 2.4.1. An open redirect issue exists in URLs with a slash and backslash at the beginning.
A flaw was found in mod_auth_openidc before version 2.4.1. An open redirect issue exists in URLs with a slash and backslash at the beginning.
A flaw was found in mod_auth_openidc before version 2.4.1. An open red ...
EPSS
6.1 Medium
CVSS3