High severity7.5NVD Advisory· Published Apr 3, 2023· Updated Jun 17, 2026
CVE-2023-28625
CVE-2023-28625
Description
mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when OIDCStripCookies is set and a crafted cookie supplied, a NULL pointer dereference would occur, resulting in a segmentation fault. This could be used in a Denial-of-Service attack and thus presents an availability risk. Version 2.4.13.2 contains a patch for this issue. As a workaround, avoid using OIDCStripCookies.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
322.0.0 - 2.4.13.1+ 1 more
- (no CPE)range: 2.0.0 - 2.4.13.1
- (no CPE)range: >= 2.0.0, < 2.4.13.2
- osv-coords30 versionspkg:rpm/almalinux/cjosepkg:rpm/almalinux/cjose-develpkg:rpm/almalinux/mod_auth_openidcpkg:rpm/opensuse/apache2-mod_auth_openidc&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/apache2-mod_auth_openidc&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/apache2-mod_auth_openidc&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/apache2-mod_auth_openidc&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/apache2-mod_auth_openidc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/apache2-mod_auth_openidc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/apache2-mod_auth_openidc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/apache2-mod_auth_openidc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/apache2-mod_auth_openidc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP4pkg:rpm/suse/apache2-mod_auth_openidc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP6pkg:rpm/suse/apache2-mod_auth_openidc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP7pkg:rpm/suse/apache2-mod_auth_openidc&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3pkg:rpm/suse/apache2-mod_auth_openidc&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-ESPOSpkg:rpm/suse/apache2-mod_auth_openidc&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/apache2-mod_auth_openidc&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/apache2-mod_auth_openidc&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/apache2-mod_auth_openidc&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/apache2-mod_auth_openidc&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/apache2-mod_auth_openidc&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/apache2-mod_auth_openidc&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/apache2-mod_auth_openidc&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/apache2-mod_auth_openidc&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/apache2-mod_auth_openidc&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/apache2-mod_auth_openidc&distro=SUSE%20Manager%20Proxy%204.2pkg:rpm/suse/apache2-mod_auth_openidc&distro=SUSE%20Manager%20Server%204.2pkg:rpm/suse/apache2-mod_auth_openidc&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/apache2-mod_auth_openidc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 0.6.1-4.module_el8.9.0+3631+0ced13d7+ 29 more
- (no CPE)range: < 0.6.1-4.module_el8.9.0+3631+0ced13d7
- (no CPE)range: < 0.6.1-4.module_el8.9.0+3631+0ced13d7
- (no CPE)range: < 2.4.9.4-4.el9
- (no CPE)range: < 2.3.8-150100.3.25.1
- (no CPE)range: < 2.4.17.1-150600.16.14.1
- (no CPE)range: < 2.3.8-150100.3.25.1
- (no CPE)range: < 2.3.8-150100.3.25.1
- (no CPE)range: < 2.3.8-150100.3.25.1
- (no CPE)range: < 2.3.8-150100.3.25.1
- (no CPE)range: < 2.3.8-150100.3.25.1
- (no CPE)range: < 2.3.8-150100.3.25.1
- (no CPE)range: < 2.3.8-150100.3.25.1
- (no CPE)range: < 2.4.17.1-150600.16.14.1
- (no CPE)range: < 2.4.17.1-150600.16.14.1
- (no CPE)range: < 2.3.8-150100.3.25.1
- (no CPE)range: < 2.4.0-7.9.1
- (no CPE)range: < 2.4.0-7.9.1
- (no CPE)range: < 2.4.0-7.9.1
- (no CPE)range: < 2.3.8-150100.3.25.1
- (no CPE)range: < 2.3.8-150100.3.25.1
- (no CPE)range: < 2.3.8-150100.3.25.1
- (no CPE)range: < 2.4.0-7.9.1
- (no CPE)range: < 2.4.0-7.9.1
- (no CPE)range: < 2.3.8-150100.3.25.1
- (no CPE)range: < 2.3.8-150100.3.25.1
- (no CPE)range: < 2.3.8-150100.3.25.1
- (no CPE)range: < 2.3.8-150100.3.25.1
- (no CPE)range: < 2.3.8-150100.3.25.1
- (no CPE)range: < 2.4.0-7.9.1
- (no CPE)range: < 2.4.0-7.9.1
Patches
Vulnerability mechanics
References
6- github.com/OpenIDC/mod_auth_openidc/commit/c0e1edac3c4c19988ccdc7713d7aebfce6ff916anvdPatch
- github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-f5xw-rvfr-24qrnvdThird Party Advisory
- lists.debian.org/debian-lts-announce/2023/04/msg00034.htmlnvdThird Party Advisory
- www.debian.org/security/2023/dsa-5405nvdThird Party Advisory
- github.com/OpenIDC/mod_auth_openidc/releases/tag/v2.4.13.2nvdRelease Notes
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WIBKFC22PDH6UXMSZ23PHTD7736ZC7BB/nvdRelease Notes
News mentions
0No linked articles in our index yet.