AZL-26772

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-26772.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-26772

Upstream

CVE-2023-28625

Published

2023-04-03T14:15:07Z

Modified

2026-04-01T05:08:47.964907Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

CVE-2023-28625 affecting package mod_auth_openidc for versions less than 2.4.14.2-1

Details

modauthopenidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when OIDCStripCookies is set and a crafted cookie supplied, a NULL pointer dereference would occur, resulting in a segmentation fault. This could be used in a Denial-of-Service attack and thus presents an availability risk. Version 2.4.13.2 contains a patch for this issue. As a workaround, avoid using OIDCStripCookies.

References

https://nvd.nist.gov/vuln/detail/CVE-2023-28625

Affected packages

Azure Linux:2 / mod_auth_openidc

Package

Name: mod_auth_openidc
Purl: pkg:rpm/azure-linux/mod_auth_openidc

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.14.2-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-26772.json"