Описание
A vulnerability was found in mod_auth_mellon before v0.14.2. If Apache is configured as a reverse proxy and mod_auth_mellon is configured to only let through authenticated users (with the require valid-user directive), adding special HTTP headers that are normally used to start the special SAML ECP (non-browser based) can be used to bypass authentication.
A vulnerability was found in mod_auth_mellon. If Apache is configured as a reverse proxy and mod_auth_mellon is configured to only let through authenticated users (with the require valid-user directive), adding special HTTP headers that are normally used to start the special SAML ECP (non-browser based) can be used to bypass authentication.
Отчет
This issue did not affect the versions of mod_auth_mellon as shipped with Red Hat Enterprise Linux 6 as they did not include support for ECP.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | mod_auth_mellon | Not affected | ||
| Red Hat Enterprise Linux 7 | mod_auth_mellon | Fixed | RHSA-2019:0766 | 16.04.2019 |
| Red Hat Enterprise Linux 8 | mod_auth_mellon | Fixed | RHSA-2019:0985 | 07.05.2019 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | httpd24-httpd | Fixed | RHSA-2019:0746 | 11.04.2019 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | httpd24-httpd | Fixed | RHSA-2019:0746 | 11.04.2019 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | httpd24-mod_auth_mellon | Fixed | RHSA-2019:0746 | 11.04.2019 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS | httpd24-httpd | Fixed | RHSA-2019:0746 | 11.04.2019 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS | httpd24-mod_auth_mellon | Fixed | RHSA-2019:0746 | 11.04.2019 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS | httpd24-httpd | Fixed | RHSA-2019:0746 | 11.04.2019 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS | httpd24-mod_auth_mellon | Fixed | RHSA-2019:0746 | 11.04.2019 |
Показывать по
Дополнительная информация
Статус:
8.1 High
CVSS3
Связанные уязвимости
A vulnerability was found in mod_auth_mellon before v0.14.2. If Apache is configured as a reverse proxy and mod_auth_mellon is configured to only let through authenticated users (with the require valid-user directive), adding special HTTP headers that are normally used to start the special SAML ECP (non-browser based) can be used to bypass authentication.
A vulnerability was found in mod_auth_mellon before v0.14.2. If Apache is configured as a reverse proxy and mod_auth_mellon is configured to only let through authenticated users (with the require valid-user directive), adding special HTTP headers that are normally used to start the special SAML ECP (non-browser based) can be used to bypass authentication.
A vulnerability was found in mod_auth_mellon before v0.14.2. If Apache ...
A vulnerability was found in mod_auth_mellon before v0.14.2. If Apache is configured as a reverse proxy and mod_auth_mellon is configured to only let through authenticated users (with the require valid-user directive), adding special HTTP headers that are normally used to start the special SAML ECP (non-browser based) can be used to bypass authentication.
ELSA-2019-0985: mod_auth_mellon security update (IMPORTANT)
8.1 High
CVSS3