CVE-2023-28625

Опубликовано: 03 апр. 2023

Источник: redhat

CVSS3: 7.5

EPSS Низкий

Описание

mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when OIDCStripCookies is set and a crafted cookie supplied, a NULL pointer dereference would occur, resulting in a segmentation fault. This could be used in a Denial-of-Service attack and thus presents an availability risk. Version 2.4.13.2 contains a patch for this issue. As a workaround, avoid using OIDCStripCookies.

A flaw was found in mod_auth_openidc, an OpenID Certified™ authentication and authorization module for the Apache HTTP server. It is possible to trigger a NULL pointer dereference when OIDCStripCookies is set and a crafted Cookie header is supplied, leading to a segmentation fault and a denial of service.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Enterprise Linux 7	mod_auth_openidc	Not affected
Red Hat Enterprise Linux 8	mod_auth_openidc	Fixed	RHSA-2023:6940	14.11.2023
Red Hat Enterprise Linux 9	mod_auth_openidc	Fixed	RHSA-2023:6365	07.11.2023

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-476

https://bugzilla.redhat.com/show_bug.cgi?id=2184118mod_auth_openidc: NULL pointer dereference when OIDCStripCookies is set and a crafted Cookie header is supplied

EPSS

Процентиль: 29%

0.00103

Низкий

7.5 High

CVSS3

Связанные уязвимости

CVE-2023-28625

CVSS3: 7.5

ubuntu

около 2 лет назад

CVE-2023-28625

CVSS3: 7.5

nvd

около 2 лет назад

CVE-2023-28625

CVSS3: 7.5

debian

около 2 лет назад

mod_auth_openidc is an authentication and authorization module for the ...

SUSE-SU-2023:1849-1

suse-cvrf

около 2 лет назад

Security update for apache2-mod_auth_openidc

ROS-20240815-09

CVSS3: 7.5

redos

11 месяцев назад

Уязвимость mod_auth_openidc

EPSS

Процентиль: 29%

0.00103

Низкий

7.5 High

CVSS3