CVE-2021-32785

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-32785
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-32785.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-32785
Aliases
  • GHSA-55r8-6w97-xxr4
Related
Published
2021-07-22T22:15:08Z
Modified
2024-10-12T07:00:14.053277Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

modauthopenidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. When modauthopenidc versions prior to 2.4.9 are configured to use an unencrypted Redis cache (OIDCCacheEncrypt off, OIDCSessionType server-cache, OIDCCacheType redis), mod_auth_openidc wrongly performed argument interpolation before passing Redis requests to hiredis, which would perform it again and lead to an uncontrolled format string bug. Initial assessment shows that this bug does not appear to allow gaining arbitrary code execution, but can reliably provoke a denial of service by repeatedly crashing the Apache workers. This bug has been corrected in version 2.4.9 by performing argument interpolation only once, using the hiredis API. As a workaround, this vulnerability can be mitigated by setting OIDCCacheEncrypt to on, as cache keys are cryptographically hashed before use when this option is enabled.

References

Affected packages

Debian:11 / libapache2-mod-auth-openidc

Package

Name
libapache2-mod-auth-openidc
Purl
pkg:deb/debian/libapache2-mod-auth-openidc?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.4.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / libapache2-mod-auth-openidc

Package

Name
libapache2-mod-auth-openidc
Purl
pkg:deb/debian/libapache2-mod-auth-openidc?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.4.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / libapache2-mod-auth-openidc

Package

Name
libapache2-mod-auth-openidc
Purl
pkg:deb/debian/libapache2-mod-auth-openidc?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.4.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/apache/httpd

Affected ranges

Type
GIT
Repo
https://github.com/apache/httpd
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Type
GIT
Repo
https://github.com/openidc/mod_auth_openidc
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

2.*

2.3.11rc1

v1.*

v1.5
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.6.0
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.8.0
v1.8.1
v1.8.10
v1.8.2
v1.8.3
v1.8.4
v1.8.5
v1.8.6
v1.8.7
v1.8.8
v1.8.9

v2.*

v2.0.0
v2.0.0rc1
v2.0.0rc4
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.2.0
v2.3.0
v2.3.0rc0
v2.3.0rc3
v2.3.1
v2.3.10
v2.3.10.1
v2.3.10.2
v2.3.11
v2.3.2
v2.3.3
v2.3.4
v2.3.5
v2.3.6
v2.3.7
v2.3.8
v2.3.9
v2.4.0
v2.4.0.1
v2.4.0.2
v2.4.0.3
v2.4.0.4
v2.4.1
v2.4.2
v2.4.2.1
v2.4.3
v2.4.4
v2.4.4.1
v2.4.5
v2.4.6
v2.4.7
v2.4.7.1
v2.4.7.2
v2.4.8.1
v2.4.8.2
v2.4.8.3
v2.4.8.4