CVE-2019-14857
mod_auth_openidc: Open redirect in logout url when using URLs with leading slashes
Severity Score
Exploit Likelihood
Affected Versions
1Public Exploits
0Exploited in Wild
-Decision
Descriptions
A flaw was found in mod_auth_openidc before version 2.4.0.1. An open redirect issue exists in URLs with trailing slashes similar to CVE-2019-3877 in mod_auth_mellon.
Se encontró una fallo en mod_auth_openidc anterior de la versión 2.4.0.1. Existe un problema de redireccionamiento abierto en las URL con barras diagonales en mod_auth_mellon.
An open redirect flaw was discovered in mod_auth_openidc, where it handles logout redirection. The module does not correctly validate the URL, allowing a URL with leading slashes to bypass the protection checks. A victim user may be tricked into visiting a trusted vulnerable web site, which would redirect them to another possibly malicious URL.
The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server. Issues addressed include an open redirection vulnerability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-08-10 CVE Reserved
- 2019-11-26 CVE Published
- 2024-08-05 CVE Updated
- 2025-04-07 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
CAPEC
References (8)
URL | Date | SRC |
---|