UBUNTU-CVE-2017-6413

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2017-6413
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2017/UBUNTU-CVE-2017-6413.json
JSON Data
https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2017-6413
Related
Published
2017-03-02T06:59:00Z
Modified
2025-01-13T10:21:21Z
Severity
  • 8.6 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka modauthopenidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDCCLAIM and OIDCAuthNHeader headers in an "AuthType oauth20" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic.

References

Affected packages

Ubuntu:Pro:16.04:LTS / libapache2-mod-auth-openidc

Package

Name
libapache2-mod-auth-openidc
Purl
pkg:deb/ubuntu/libapache2-mod-auth-openidc@1.8.5-1?arch=source&distro=esm-apps/xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.6.0-1
1.8.5-1

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:18.04:LTS / libapache2-mod-auth-openidc

Package

Name
libapache2-mod-auth-openidc
Purl
pkg:deb/ubuntu/libapache2-mod-auth-openidc@2.3.3-1build1?arch=source&distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.3.3-1build1

Affected versions

2.*

2.1.6-1
2.3.1-2
2.3.2-1
2.3.2-1build1

Ecosystem specific 

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "2.3.3-1build1",
            "binary_name": "libapache2-mod-auth-openidc"
        },
        {
            "binary_version": "2.3.3-1build1",
            "binary_name": "libapache2-mod-auth-openidc-dbgsym"
        }
    ]
}