CVE-2019-14857
mod_auth_openidc: Open redirect in logout url when using URLs with leading slashes
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A flaw was found in mod_auth_openidc before version 2.4.0.1. An open redirect issue exists in URLs with trailing slashes similar to CVE-2019-3877 in mod_auth_mellon.
Se encontró una fallo en mod_auth_openidc anterior de la versión 2.4.0.1. Existe un problema de redireccionamiento abierto en las URL con barras diagonales en mod_auth_mellon.
An open redirect flaw was discovered in mod_auth_openidc, where it handles logout redirection. The module does not correctly validate the URL, allowing a URL with leading slashes to bypass the protection checks. A victim user may be tricked into visiting a trusted vulnerable web site, which would redirect them to another possibly malicious URL.
The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server. Issues addressed include an open redirection vulnerability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-08-10 CVE Reserved
- 2019-11-26 CVE Published
- 2024-08-05 CVE Updated
- 2025-04-07 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
CAPEC
References (8)
URL | Tag | Source |
---|---|---|
https://groups.google.com/forum/#%21topic/mod_auth_openidc/boy1Ba3Gdk4 | X_refsource_confirm | |
https://lists.debian.org/debian-lts-announce/2020/07/msg00028.html | Mailing List |
|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2019-14857 | 2020-09-29 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1760613 | 2020-09-29 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Openidc Search vendor "Openidc" | Mod Auth Openidc Search vendor "Openidc" for product "Mod Auth Openidc" | < 2.4.0.1 Search vendor "Openidc" for product "Mod Auth Openidc" and version " < 2.4.0.1" | - |
Affected
|