rpm package
suse/apache2-mod_auth_openidc&distro=SUSE Linux Enterprise Module for Server Applications 15 SP6
pkg:rpm/suse/apache2-mod_auth_openidc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP6
Vulnerabilities (12)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-3891 | Hig | 7.5 | < 2.3.8-150600.16.11.1 | 2.3.8-150600.16.11.1 | Apr 29, 2025 | A flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPreservePost directive is enabled. The server crashes consistently, affecting availab | |
| CVE-2025-31492 | Hig | — | < 2.3.8-150600.16.8.1 | 2.3.8-150600.16.8.1 | Apr 6, 2025 | mod_auth_openidc is an OpenID Certified authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. Prior to 2.4.16.11, a bug in a mod_auth_openidc results in disclosure of protected content to unauthentic | |
| CVE-2024-24814 | Hig | 7.5 | < 2.3.8-150600.16.5.1 | 2.3.8-150600.16.5.1 | Feb 13, 2024 | mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In affected versions missing input validation on mod_auth_openidc_session_chunks cookie value makes the | |
| CVE-2023-28625 | Hig | 7.5 | < 2.4.17.1-150600.16.14.1 | 2.4.17.1-150600.16.14.1 | Apr 3, 2023 | mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when `OIDCStripCookies` is set and a crafted cookie supplied, a NULL pointer dereferen | |
| CVE-2022-23527 | Med | 4.7 | < 2.4.17.1-150600.16.14.1 | 2.4.17.1-150600.16.14.1 | Dec 14, 2022 | mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Versions prior to 2.4.12.2 are vulnerable to Open Redirect. When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url() do | |
| CVE-2021-39191 | Med | 4.7 | < 2.4.17.1-150600.16.14.1 | 2.4.17.1-150600.16.14.1 | Sep 3, 2021 | mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9.4, the 3rd-party init SSO functionality of mod_auth_ope | |
| CVE-2021-32792 | Low | 3.1 | < 2.4.17.1-150600.16.14.1 | 2.4.17.1-150600.16.14.1 | Jul 26, 2021 | mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, there is an XSS vulnerability in when us | |
| CVE-2021-32791 | Med | 5.9 | < 2.4.17.1-150600.16.14.1 | 2.4.17.1-150600.16.14.1 | Jul 26, 2021 | mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, the AES GCM encryption in mod_auth_openi | |
| CVE-2021-32786 | Med | 4.7 | < 2.4.17.1-150600.16.14.1 | 2.4.17.1-150600.16.14.1 | Jul 22, 2021 | mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9, `oidc_validate_redirect_url()` does not parse URLs the | |
| CVE-2021-32785 | Med | 5.3 | < 2.4.17.1-150600.16.14.1 | 2.4.17.1-150600.16.14.1 | Jul 22, 2021 | mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. When mod_auth_openidc versions prior to 2.4.9 are configured to use an unencrypted | |
| CVE-2019-20479 | Med | 6.1 | < 2.4.17.1-150600.16.14.1 | 2.4.17.1-150600.16.14.1 | Feb 20, 2020 | A flaw was found in mod_auth_openidc before version 2.4.1. An open redirect issue exists in URLs with a slash and backslash at the beginning. | |
| CVE-2019-14857 | Med | 6.1 | < 2.4.17.1-150600.16.14.1 | 2.4.17.1-150600.16.14.1 | Nov 26, 2019 | A flaw was found in mod_auth_openidc before version 2.4.0.1. An open redirect issue exists in URLs with trailing slashes similar to CVE-2019-3877 in mod_auth_mellon. |
- affected < 2.3.8-150600.16.11.1fixed 2.3.8-150600.16.11.1
A flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPreservePost directive is enabled. The server crashes consistently, affecting availab
- affected < 2.3.8-150600.16.8.1fixed 2.3.8-150600.16.8.1
mod_auth_openidc is an OpenID Certified authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. Prior to 2.4.16.11, a bug in a mod_auth_openidc results in disclosure of protected content to unauthentic
- affected < 2.3.8-150600.16.5.1fixed 2.3.8-150600.16.5.1
mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In affected versions missing input validation on mod_auth_openidc_session_chunks cookie value makes the
- affected < 2.4.17.1-150600.16.14.1fixed 2.4.17.1-150600.16.14.1
mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when `OIDCStripCookies` is set and a crafted cookie supplied, a NULL pointer dereferen
- affected < 2.4.17.1-150600.16.14.1fixed 2.4.17.1-150600.16.14.1
mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Versions prior to 2.4.12.2 are vulnerable to Open Redirect. When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url() do
- affected < 2.4.17.1-150600.16.14.1fixed 2.4.17.1-150600.16.14.1
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9.4, the 3rd-party init SSO functionality of mod_auth_ope
- affected < 2.4.17.1-150600.16.14.1fixed 2.4.17.1-150600.16.14.1
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, there is an XSS vulnerability in when us
- affected < 2.4.17.1-150600.16.14.1fixed 2.4.17.1-150600.16.14.1
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, the AES GCM encryption in mod_auth_openi
- affected < 2.4.17.1-150600.16.14.1fixed 2.4.17.1-150600.16.14.1
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9, `oidc_validate_redirect_url()` does not parse URLs the
- affected < 2.4.17.1-150600.16.14.1fixed 2.4.17.1-150600.16.14.1
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. When mod_auth_openidc versions prior to 2.4.9 are configured to use an unencrypted
- affected < 2.4.17.1-150600.16.14.1fixed 2.4.17.1-150600.16.14.1
A flaw was found in mod_auth_openidc before version 2.4.1. An open redirect issue exists in URLs with a slash and backslash at the beginning.
- affected < 2.4.17.1-150600.16.14.1fixed 2.4.17.1-150600.16.14.1
A flaw was found in mod_auth_openidc before version 2.4.0.1. An open redirect issue exists in URLs with trailing slashes similar to CVE-2019-3877 in mod_auth_mellon.