Oracle Linux 7 : mod_auth_openidc (ELSA-2019-2112)

The remote Oracle Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2019-2112 advisory.

– Mod_auth_openidc.c in the Ping Identity OpenID Connect authentication module for Apache (aka mod_auth_openidc) before 2.14 allows remote attackers to spoof page content via a malicious URL provided to the user, which triggers an invalid request. (CVE-2017-6059)

– The OpenID Connect Relying Party and OAuth 2.0 Resource Server (aka mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an AuthType oauth20 configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic.

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.Read More

Back to Main

Subscribe for the latest news:
%d bloggers like this: