1. CVE-Search
  2. CVE-2019-3877
ID CVE-2019-3877
Summary A vulnerability was found in mod_auth_mellon before v0.14.2. An open redirect in the logout URL allows requests with backslashes to pass through by assuming that it is a relative URL, while the browsers silently convert backslash characters into forward slashes treating them as an absolute URL. This mismatch allows an attacker to bypass the redirect URL validation logic in apr_uri_parse function.
References
Vulnerable Configurations
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.4.0:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.4.0:*:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.5.0:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.5.0:*:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.6.0:-:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.6.0:-:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.6.0:rc1:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.6.0:rc1:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.6.1:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.6.1:*:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.7.0:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.7.0:*:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.8.0:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.8.0:*:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.8.1:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.8.1:*:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.9.0:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.9.0:*:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.9.1:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.9.1:*:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.10.0:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.10.0:*:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.11.0:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.11.0:*:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.11.1:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.11.1:*:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.12.0:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.12.0:*:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.13.0:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.13.0:*:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.13.1:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.13.1:*:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.14.0:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.14.0:*:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.14.1:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.14.1:*:*:*:*:apache:*:*
  • cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 16-04-2019 - 18:29)
Impact:
Exploitability:
CWE CWE-601
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:N/I:P/A:N
redhat via4
advisories
  • bugzilla
    id 1702695
    title fresh install of mod_auth_mellon shows rpm verification warnings
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 8 is installed
        oval oval:com.redhat.rhba:tst:20193384074
      • OR
        • AND
          • comment mod_auth_mellon is earlier than 0:0.14.0-9.el8
            oval oval:com.redhat.rhsa:tst:20193421001
          • comment mod_auth_mellon is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141803002
        • AND
          • comment mod_auth_mellon-debugsource is earlier than 0:0.14.0-9.el8
            oval oval:com.redhat.rhsa:tst:20193421003
          • comment mod_auth_mellon-debugsource is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20190985004
        • AND
          • comment mod_auth_mellon-diagnostics is earlier than 0:0.14.0-9.el8
            oval oval:com.redhat.rhsa:tst:20193421005
          • comment mod_auth_mellon-diagnostics is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20190766004
    rhsa
    id RHSA-2019:3421
    released 2019-11-05
    severity Moderate
    title RHSA-2019:3421: mod_auth_mellon security, bug fix, and enhancement update (Moderate)
  • rhsa
    id RHSA-2019:0766
rpms
  • mod_auth_mellon-0:0.14.0-2.el7_6.4
  • mod_auth_mellon-debuginfo-0:0.14.0-2.el7_6.4
  • mod_auth_mellon-diagnostics-0:0.14.0-2.el7_6.4
  • mod_auth_mellon-0:0.14.0-9.el8
  • mod_auth_mellon-debuginfo-0:0.14.0-9.el8
  • mod_auth_mellon-debugsource-0:0.14.0-9.el8
  • mod_auth_mellon-diagnostics-0:0.14.0-9.el8
  • mod_auth_mellon-diagnostics-debuginfo-0:0.14.0-9.el8
refmap via4
confirm
fedora
  • FEDORA-2019-2d8ee47f61
  • FEDORA-2019-db1e9b3002
ubuntu USN-3924-1
Last major update 16-04-2019 - 18:29
Published 27-03-2019 - 13:29
Last modified 16-04-2019 - 18:29
Back to Top