rpm package
almalinux/mod_auth_openidc
pkg:rpm/almalinux/mod_auth_openidc
Vulnerabilities (10)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-3891 | Hig | 7.5 | < 2.4.9.4-8.module_el8.10.0+3988+526f0275 | 2.4.9.4-8.module_el8.10.0+3988+526f0275 | Apr 29, 2025 | A flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPreservePost directive is enabled. The server crashes consistently, affecting availab | |
| CVE-2025-31492 | Hig | — | < 2.4.9.4-7.module_el8.10.0+3978+e883c40d | 2.4.9.4-7.module_el8.10.0+3978+e883c40d | Apr 6, 2025 | mod_auth_openidc is an OpenID Certified authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. Prior to 2.4.16.11, a bug in a mod_auth_openidc results in disclosure of protected content to unauthentic | |
| CVE-2024-24814 | Hig | 7.5 | < 2.4.9.4-6.module_el8.10.0+3881+234adf82 | 2.4.9.4-6.module_el8.10.0+3881+234adf82 | Feb 13, 2024 | mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In affected versions missing input validation on mod_auth_openidc_session_chunks cookie value makes the | |
| CVE-2023-37464 | Hig | 8.6 | < 2.4.9.4-1.module_el8.7.0+3305+9a59f0c3 | 2.4.9.4-1.module_el8.7.0+3305+9a59f0c3 | Jul 14, 2023 | OpenIDC/cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec says that a fixed length of 16 octets must be applied. T | |
| CVE-2023-28625 | Hig | 7.5 | < 2.4.9.4-4.el9 | 2.4.9.4-4.el9 | Apr 3, 2023 | mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when `OIDCStripCookies` is set and a crafted cookie supplied, a NULL pointer dereferen | |
| CVE-2022-23527 | Med | 4.7 | < 2.4.9.4-4.el9 | 2.4.9.4-4.el9 | Dec 14, 2022 | mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Versions prior to 2.4.12.2 are vulnerable to Open Redirect. When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url() do | |
| CVE-2021-39191 | Med | 4.7 | < 2.3.7-11.module_el8.6.0+2868+44838709 | 2.3.7-11.module_el8.6.0+2868+44838709 | Sep 3, 2021 | mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9.4, the 3rd-party init SSO functionality of mod_auth_ope | |
| CVE-2021-32792 | Low | 3.1 | < 2.3.7-11.module_el8.6.0+2868+44838709 | 2.3.7-11.module_el8.6.0+2868+44838709 | Jul 26, 2021 | mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, there is an XSS vulnerability in when us | |
| CVE-2021-32791 | Med | 5.9 | < 2.3.7-11.module_el8.6.0+2868+44838709 | 2.3.7-11.module_el8.6.0+2868+44838709 | Jul 26, 2021 | mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, the AES GCM encryption in mod_auth_openi | |
| CVE-2021-32786 | Med | 4.7 | < 2.3.7-11.module_el8.6.0+2868+44838709 | 2.3.7-11.module_el8.6.0+2868+44838709 | Jul 22, 2021 | mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9, `oidc_validate_redirect_url()` does not parse URLs the |
- affected < 2.4.9.4-8.module_el8.10.0+3988+526f0275fixed 2.4.9.4-8.module_el8.10.0+3988+526f0275
A flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPreservePost directive is enabled. The server crashes consistently, affecting availab
- affected < 2.4.9.4-7.module_el8.10.0+3978+e883c40dfixed 2.4.9.4-7.module_el8.10.0+3978+e883c40d
mod_auth_openidc is an OpenID Certified authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. Prior to 2.4.16.11, a bug in a mod_auth_openidc results in disclosure of protected content to unauthentic
- affected < 2.4.9.4-6.module_el8.10.0+3881+234adf82fixed 2.4.9.4-6.module_el8.10.0+3881+234adf82
mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In affected versions missing input validation on mod_auth_openidc_session_chunks cookie value makes the
- affected < 2.4.9.4-1.module_el8.7.0+3305+9a59f0c3fixed 2.4.9.4-1.module_el8.7.0+3305+9a59f0c3
OpenIDC/cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec says that a fixed length of 16 octets must be applied. T
- affected < 2.4.9.4-4.el9fixed 2.4.9.4-4.el9
mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when `OIDCStripCookies` is set and a crafted cookie supplied, a NULL pointer dereferen
- affected < 2.4.9.4-4.el9fixed 2.4.9.4-4.el9
mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Versions prior to 2.4.12.2 are vulnerable to Open Redirect. When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url() do
- affected < 2.3.7-11.module_el8.6.0+2868+44838709fixed 2.3.7-11.module_el8.6.0+2868+44838709
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9.4, the 3rd-party init SSO functionality of mod_auth_ope
- affected < 2.3.7-11.module_el8.6.0+2868+44838709fixed 2.3.7-11.module_el8.6.0+2868+44838709
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, there is an XSS vulnerability in when us
- affected < 2.3.7-11.module_el8.6.0+2868+44838709fixed 2.3.7-11.module_el8.6.0+2868+44838709
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, the AES GCM encryption in mod_auth_openi
- affected < 2.3.7-11.module_el8.6.0+2868+44838709fixed 2.3.7-11.module_el8.6.0+2868+44838709
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9, `oidc_validate_redirect_url()` does not parse URLs the