Описание
The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "AuthType oauth20" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic.
| Релиз | Статус | Примечание |
|---|---|---|
| artful | ignored | end of life |
| bionic | not-affected | 2.3.3-1build1 |
| cosmic | not-affected | 2.3.3-1build1 |
| devel | not-affected | 2.3.3-1build1 |
| disco | not-affected | 2.3.3-1build1 |
| eoan | not-affected | 2.3.3-1build1 |
| esm-apps/bionic | not-affected | 2.3.3-1build1 |
| esm-apps/focal | not-affected | 2.3.3-1build1 |
| esm-apps/jammy | not-affected | 2.3.3-1build1 |
| esm-apps/noble | not-affected | 2.3.3-1build1 |
Показывать по
Ссылки на источники
EPSS
5 Medium
CVSS2
8.6 High
CVSS3
Связанные уязвимости
The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "AuthType oauth20" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic.
The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "AuthType oauth20" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic.
The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka ...
The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "AuthType oauth20" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic.
ELSA-2019-2112: mod_auth_openidc security update (MODERATE)
EPSS
5 Medium
CVSS2
8.6 High
CVSS3