CVE-2019-3877

NameCVE-2019-3877
DescriptionA vulnerability was found in mod_auth_mellon before v0.14.2. An open redirect in the logout URL allows requests with backslashes to pass through by assuming that it is a relative URL, while the browsers silently convert backslash characters into forward slashes treating them as an absolute URL. This mismatch allows an attacker to bypass the redirect URL validation logic in apr_uri_parse function.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-4414-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libapache2-mod-auth-mellon (PTS)buster0.14.2-1fixed
buster (security)0.14.2-1+deb10u1fixed
bullseye0.17.0-1+deb11u1fixed
bookworm0.18.1-1fixed
sid, trixie0.19.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libapache2-mod-auth-mellonsourcestretch0.12.0-2+deb9u1DSA-4414-1
libapache2-mod-auth-mellonsource(unstable)0.14.2-1

Notes

[jessie] - libapache2-mod-auth-mellon <no-dsa> (Open redirect protection not present in the first place)
https://github.com/Uninett/mod_auth_mellon/commit/62041428a32de402e0be6ba45fe12df6a83bedb8

Search for package or bug name: Reporting problems