CVE-2022-23527

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-23527

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-23527.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-23527

Related

Published

2022-12-14T18:15:20Z

Modified

2025-02-14T11:33:03.948810Z

Downstream

RHSA-2023:6940

RHSA-2023:6365

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

modauthopenidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Versions prior to 2.4.12.2 are vulnerable to Open Redirect. When providing a logout parameter to the redirect URI, the existing code in oidcvalidateredirecturl() does not properly check for URLs that start with /\t, leading to an open redirect. This issue has been patched in version 2.4.12.2. Users unable to upgrade can mitigate the issue by configuring modauth_openidc to only allow redirection when the destination matches a given regular expression with OIDCRedirectURLsAllowed.

References

Affected packages

Debian:11 / libapache2-mod-auth-openidc

Package

Name: libapache2-mod-auth-openidc
Purl: pkg:deb/debian/libapache2-mod-auth-openidc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.9.4-0+deb11u2

Affected versions

2.*

2.4.9-1

2.4.9.4-0+deb11u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / libapache2-mod-auth-openidc

Package

Name: libapache2-mod-auth-openidc
Purl: pkg:deb/debian/libapache2-mod-auth-openidc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.12.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / libapache2-mod-auth-openidc

Package

Name: libapache2-mod-auth-openidc
Purl: pkg:deb/debian/libapache2-mod-auth-openidc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.12.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/openidc/mod_auth_openidc

Affected ranges

Type: GIT
Repo: https://github.com/openidc/mod_auth_openidc
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

87119f44b9a88312dbc1f752d720bcd2371b94a8

Affected versions

2.*

2.3.11rc1

v1.*

v1.5

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.5.5

v1.6.0

v1.7.0

v1.7.1

v1.7.2

v1.7.3

v1.8.0

v1.8.1

v1.8.10

v1.8.2

v1.8.3

v1.8.4

v1.8.5

v1.8.6

v1.8.7

v1.8.8

v1.8.9

v2.*

v2.0.0

v2.0.0rc1

v2.0.0rc4

v2.1.0

v2.1.1

v2.1.2

v2.1.3

v2.1.4

v2.1.5

v2.1.6

v2.2.0

v2.3.0

v2.3.0rc0

v2.3.0rc3

v2.3.1

v2.3.10

v2.3.10.1

v2.3.10.2

v2.3.11

v2.3.2

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.3.7

v2.3.8

v2.3.9

v2.4.0

v2.4.0.1

v2.4.0.2

v2.4.0.3

v2.4.0.4

v2.4.1

v2.4.10

v2.4.11

v2.4.11.1

v2.4.11.2

v2.4.11.3

v2.4.12

v2.4.12.1

v2.4.2

v2.4.2.1

v2.4.3

v2.4.4

v2.4.4.1

v2.4.5

v2.4.6

v2.4.7

v2.4.7.1

v2.4.7.2

v2.4.8.1

v2.4.8.2

v2.4.8.3

v2.4.8.4

v2.4.9

v2.4.9.1

v2.4.9.2

v2.4.9.3

v2.4.9.4