Published: 26/11/2019 Updated: 07/11/2023

CVSS v2 Base Score: 5.8 | Impact Score: 4.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 6.1 | Impact Score: 2.7 | Exploitability Score: 2.8

VMScore: 516

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

An open redirect flaw exists in mod_auth_openidc, where it handles logout redirection. The module does not correctly validate the URL, allowing a URL with leading slashes to bypass the protection checks. A victim user may be tricked into visiting a trusted vulnerable web site, which would redirect them to another possibly malicious URL. (CVE-2019-14857) An open redirect flaw exists in mod_auth_openidc where it handles logout redirection. The module does not correctly validate the URL, allowing a URL with slash and backslash at the beginning to bypass the protection checks. A victim user may be tricked into visiting a trusted vulnerable web site, which would redirect him to another, possibly malicious, URL. (CVE-2019-20479)

Vulnerable Product	Search on Vulmon	Subscribe to Product
openidc mod auth openidc

Debian Bug report logs - #942165 CVE-2019-14857 Package: libapache2-mod-auth-openidc; Maintainer for libapache2-mod-auth-openidc is Moritz Schlarb <schlarbm@uni-mainzde>; Source for libapache2-mod-auth-openidc is src:libapache2-mod-auth-openidc (PTS, buildd, popcon) Reported by: Moritz Muehlenhoff <jmm@debianorg> D ...

Synopsis Low: mod_auth_openidc security update Type/Severity Security Advisory: Low Topic An update for mod_auth_openidc is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Low A Common Vulnerability Scoring System (CVSS) base score, ...

概要 Moderate: mod_auth_openidc:23 security and bug fix update タイプ/重大度 Security Advisory: Moderate トピック An update for the mod_auth_openidc:23 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Moderate ...

An open redirect flaw was discovered in mod_auth_openidc, where it handles logout redirection The module does not correctly validate the URL, allowing a URL with leading slashes to bypass the protection checks A victim user may be tricked into visiting a trusted vulnerable web site, which would redirect them to another possibly malicious URL (CV ...

CWE-601 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14857 https://github.com/zmartzone/mod_auth_openidc/pull/451 https://github.com/zmartzone/mod_auth_openidc/commit/ce37080c6aea30aabae8b4a9b4eea7808445cc8e https://github.com/zmartzone/mod_auth_openidc/commit/5c15dfb08106c2451c2c44ce7ace6813c216ba75 https://lists.debian.org/debian-lts-announce/2020/07/msg00028.html https://groups.google.com/forum/#%21topic/mod_auth_openidc/boy1Ba3Gdk4 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942165 https://nvd.nist.gov https://alas.aws.amazon.com/AL2/ALAS-2020-1538.html

CVE-2019-14857

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect