VYPR

mod_auth_openidc

by Zmartzone

CVEs (17)

  • CVE-2017-6413HigMar 2, 2017
    risk 0.56cvss 8.6epss 0.04

    The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "AuthType oauth20" configuration, which allows remote attackers to bypass…

  • CVE-2017-6062HigMar 2, 2017
    risk 0.56cvss 8.6epss 0.04

    The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.5 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "OIDCUnAuthAction pass" configuration, which allows remote attackers to bypass…

  • CVE-2025-3891HigApr 29, 2025
    risk 0.49cvss 7.5epss 0.01

    A flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPreservePost directive is enabled. The server crashes consistently, affecting…

  • CVE-2021-20718HigMay 20, 2021
    risk 0.49cvss 7.5epss 0.03

    mod_auth_openidc 2.4.0 to 2.4.7 allows a remote attacker to cause a denial-of-service (DoS) condition via unspecified vectors.

  • CVE-2017-6059HigApr 12, 2017
    risk 0.49cvss 7.5epss 0.05

    Mod_auth_openidc.c in the Ping Identity OpenID Connect authentication module for Apache (aka mod_auth_openidc) before 2.14 allows remote attackers to spoof page content via a malicious URL provided to the user, which triggers an invalid request.

  • CVE-2025-31492HigApr 6, 2025
    risk 0.46cvss epss 0.01

    mod_auth_openidc is an OpenID Certified authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. Prior to 2.4.16.11, a bug in a mod_auth_openidc results in disclosure of protected content to…

  • CVE-2019-20479MedFeb 20, 2020
    risk 0.33cvss 6.1epss 0.02

    A flaw was found in mod_auth_openidc before version 2.4.1. An open redirect issue exists in URLs with a slash and backslash at the beginning.

  • CVE-2022-23527MedDec 14, 2022
    risk 0.31cvss 4.7epss 0.01

    mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Versions prior to 2.4.12.2 are vulnerable to Open Redirect. When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url()…

  • CVE-2024-24814HigFeb 13, 2024
    risk 0.00cvss 7.5epss 0.01

    mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In affected versions missing input validation on mod_auth_openidc_session_chunks cookie value makes…

  • CVE-2023-28625HigApr 3, 2023
    risk 0.00cvss 7.5epss 0.01

    mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when `OIDCStripCookies` is set and a crafted cookie supplied, a NULL pointer…

  • CVE-2021-39191MedSep 3, 2021
    risk 0.00cvss 4.7epss 0.02

    mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9.4, the 3rd-party init SSO functionality of…

  • CVE-2021-32792LowJul 26, 2021
    risk 0.00cvss 3.1epss 0.02

    mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, there is an XSS vulnerability in when…

  • CVE-2021-32791MedJul 26, 2021
    risk 0.00cvss 5.9epss 0.01

    mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, the AES GCM encryption in…

  • CVE-2021-32786MedJul 22, 2021
    risk 0.00cvss 4.7epss 0.02

    mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9, `oidc_validate_redirect_url()` does not parse URLs…

  • CVE-2021-32785MedJul 22, 2021
    risk 0.00cvss 5.3epss 0.03

    mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. When mod_auth_openidc versions prior to 2.4.9 are configured to use an…

  • CVE-2019-14857MedNov 26, 2019
    risk 0.00cvss 6.1epss 0.02

    A flaw was found in mod_auth_openidc before version 2.4.0.1. An open redirect issue exists in URLs with trailing slashes similar to CVE-2019-3877 in mod_auth_mellon.

  • CVE-2019-1010247MedJul 19, 2019
    risk 0.00cvss 6.1epss 0.01

    ZmartZone IAM mod_auth_openidc 2.3.10.1 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Redirecting the user to a phishing page or interacting with the application on behalf of the user. The component is: File: src/mod_auth_openidc.c, Line: 3109. The fixed…