ID CVE-2019-20479
Summary A flaw was found in mod_auth_openidc before version 2.4.1. An open redirect issue exists in URLs with a slash and backslash at the beginning.
References
Vulnerable Configurations
  • cpe:2.3:a:openidc:mod_auth_openidc:*:*:*:*:*:*:*:*
    cpe:2.3:a:openidc:mod_auth_openidc:*:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
  • cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
    cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
CVSS
Base: 5.8 (as of 25-05-2023 - 20:18)
Impact:
Exploitability:
CWE CWE-601
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:N
redhat via4
advisories
  • bugzilla
    id 1844107
    title Module stream mod_auth_openidc:2.3 does not have correct module.md file [rhel-8.2.0.z]
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 8 is installed
        oval oval:com.redhat.rhba:tst:20193384074
      • comment Module mod_auth_openidc:2.3 is enabled
        oval oval:com.redhat.rhsa:tst:20203032011
      • OR
        • AND
          • comment cjose is earlier than 0:0.6.1-2.module+el8+2454+f890a43a
            oval oval:com.redhat.rhsa:tst:20203032001
          • comment cjose is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20203032002
        • AND
          • comment cjose-debugsource is earlier than 0:0.6.1-2.module+el8+2454+f890a43a
            oval oval:com.redhat.rhsa:tst:20203032003
          • comment cjose-debugsource is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20203032004
        • AND
          • comment cjose-devel is earlier than 0:0.6.1-2.module+el8+2454+f890a43a
            oval oval:com.redhat.rhsa:tst:20203032005
          • comment cjose-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20203032006
        • AND
          • comment mod_auth_openidc is earlier than 0:2.3.7-4.module+el8.2.0+6919+ac02cfd2.3
            oval oval:com.redhat.rhsa:tst:20203032007
          • comment mod_auth_openidc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20192112002
        • AND
          • comment mod_auth_openidc-debugsource is earlier than 0:2.3.7-4.module+el8.2.0+6919+ac02cfd2.3
            oval oval:com.redhat.rhsa:tst:20203032009
          • comment mod_auth_openidc-debugsource is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20203032010
    rhsa
    id RHSA-2020:3032
    released 2020-07-21
    severity Moderate
    title RHSA-2020:3032: mod_auth_openidc:2.3 security and bug fix update (Moderate)
  • bugzilla
    id 1805102
    title CVE-2019-20479 mod_auth_openidc: Open redirect issue exists in URLs with slash and backslash
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 7 is installed
        oval oval:com.redhat.rhba:tst:20150364027
      • comment mod_auth_openidc is earlier than 0:1.8.8-7.el7
        oval oval:com.redhat.rhsa:tst:20203970001
      • comment mod_auth_openidc is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20192112002
    rhsa
    id RHSA-2020:3970
    released 2020-09-29
    severity Low
    title RHSA-2020:3970: mod_auth_openidc security update (Low)
rpms
  • cjose-0:0.6.1-2.module+el8+2454+f890a43a
  • cjose-debuginfo-0:0.6.1-2.module+el8+2454+f890a43a
  • cjose-debugsource-0:0.6.1-2.module+el8+2454+f890a43a
  • cjose-devel-0:0.6.1-2.module+el8+2454+f890a43a
  • mod_auth_openidc-0:2.3.7-4.module+el8.2.0+6919+ac02cfd2.3
  • mod_auth_openidc-debuginfo-0:2.3.7-4.module+el8.2.0+6919+ac02cfd2.3
  • mod_auth_openidc-debugsource-0:2.3.7-4.module+el8.2.0+6919+ac02cfd2.3
  • mod_auth_openidc-0:1.8.8-7.el7
  • mod_auth_openidc-debuginfo-0:1.8.8-7.el7
refmap via4
fedora
  • FEDORA-2020-1106ece93a
  • FEDORA-2020-33d51234cd
misc
mlist
  • [debian-lts-announce] 20200229 [SECURITY] [DLA 2130-1] libapache2-mod-auth-openidc security
  • [debian-lts-announce] 20200729 [SECURITY] [DLA 2298-1] libapache2-mod-auth-openidc security update
suse openSUSE-SU-2020:0376
Last major update 25-05-2023 - 20:18
Published 20-02-2020 - 06:15
Last modified 25-05-2023 - 20:18
Back to Top