Rapid7 Vulnerability & Exploit Database

Alma Linux: CVE-2021-32786: Moderate: mod_auth_openidc:2.3 security update (ALSA-2022-1823)

Back to Search

Alma Linux: CVE-2021-32786: Moderate: mod_auth_openidc:2.3 security update (ALSA-2022-1823)

Severity
6
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:N)
Published
07/22/2021
Created
05/14/2022
Added
05/13/2022
Modified
05/13/2022

Description

mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9, `oidc_validate_redirect_url()` does not parse URLs the same way as most browsers do. As a result, this function can be bypassed and leads to an Open Redirect vulnerability in the logout functionality. This bug has been fixed in version 2.4.9 by replacing any backslash of the URL to redirect with slashes to address a particular breaking change between the different specifications (RFC2396 / RFC3986 and WHATWG). As a workaround, this vulnerability can be mitigated by configuring `mod_auth_openidc` to only allow redirection whose destination matches a given regular expression.

Solution(s)

  • alma-upgrade-cjose
  • alma-upgrade-cjose-devel
  • alma-upgrade-mod_auth_openidc

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;