Moderate: mod_auth_openidc:2.3 security update
Discription

The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.

Security Fix(es):

* mod_auth_openidc: open redirect in oidc_validate_redirect_url() (CVE-2021-32786)

* mod_auth_openidc: hardcoded static IV and AAD with a reused key in AES GCM encryption (CVE-2021-32791)

* mod_auth_openidc: XSS when using OIDCPreservePost On (CVE-2021-32792)

* mod_auth_openidc: open redirect due to target_link_uri parameter not validated (CVE-2021-39191)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.Read More

References

https://vulners.com/cve/CVE-2021-32786https://vulners.com/cve/CVE-2021-32791https://vulners.com/cve/CVE-2021-32792https://vulners.com/cve/CVE-2021-39191https://errata.almalinux.org/8/ALSA-2022-1823.html

5.8 Medium

CVSS2

  • Access Vector
  • Access Complexity
  • Authentication
  • Confidentiality Impact
  • Integrity Impact
  • Availability Impact
  • Network
  • Medium
  • None
  • Partial
  • Partial
  • None

AV:N/AC:M/Au:N/C:P/I:P/A:N

6.1 Medium

CVSS3

  • Attack Vector
  • Attack Complexity
  • Privileges Required
  • User Interaction
  • Scope
  • Confidentiality Impact
  • Integrity Impact
  • Availability Impact
  • Network
  • Low
  • None
  • Required
  • Changed
  • Low
  • Low
  • None

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Back to Main
Subscribe for the latest news: