Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
NA

CVE-2022-23527

Published: 14/12/2022 Updated: 21/07/2023
CVSS v3 Base Score: 6.1 | Impact Score: 2.7 | Exploitability Score: 2.8
VMScore: 0
Subscribe to Mod Auth Openidc

Vulnerability Summary

mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Versions before 2.4.12.2 are vulnerable to Open Redirect. When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url() does not properly check for URLs that start with /\t, leading to an open redirect. This issue has been patched in version 2.4.12.2. Users unable to upgrade can mitigate the issue by configuring mod_auth_openidc to only allow redirection when the destination matches a given regular expression with OIDCRedirectURLsAllowed.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

openidc mod auth openidc

debian debian linux 10.0

Vendor Advisories

Red Hat: Moderate: mod_auth_openidc security and bug fix update
Synopsis Moderate: mod_auth_openidc security and bug fix update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for mod_auth_openidc is now available for Red Hat Enterprise Linux 9Red Hat Product Security has ra ...
Debian CVElist Bug Report Logs: libapache2-mod-auth-openidc: CVE-2022-23527
Debian Bug report logs - #1026444 libapache2-mod-auth-openidc: CVE-2022-23527 Package: src:libapache2-mod-auth-openidc; Maintainer for src:libapache2-mod-auth-openidc is Moritz Schlarb <schlarbm@uni-mainzde>; Reported by: Moritz Schlarb <schlarbm@uni-mainzde> Date: Tue, 20 Dec 2022 11:45:02 UTC Severity: important ...
Red Hat:
DescriptionThe MITRE CVE dictionary describes this issue as: mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2x HTTP server Versions prior to 24122 are vulnerable to Open Redirect When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url() d ...

References

CWE-601https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-q6f2-285m-gr53https://github.com/zmartzone/mod_auth_openidc/blob/v2.4.12.1/auth_openidc.conf#L975-L984https://lists.debian.org/debian-lts-announce/2023/07/msg00020.htmlhttps://access.redhat.com/errata/RHSA-2023:6365https://nvd.nist.govhttps://access.redhat.com/security/cve/cve-2022-23527
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-3581reflected XSSCVE-2024-26925CVE-2024-27956LFICVE-2024-3607CVE-2024-3107CVE-2024-3295SQL
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook