CVE-2019-3877

NameCVE-2019-3877
DescriptionA vulnerability was found in mod_auth_mellon before v0.14.2. An open redirect in the logout URL allows requests with backslashes to pass through by assuming that it is a relative URL, while the browsers silently convert backslash characters into forward slashes treating them as an absolute URL. This mismatch allows an attacker to bypass the redirect URL validation logic in apr_uri_parse function.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-4414-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libapache2-mod-auth-mellon (PTS)jessie0.9.1-1vulnerable
stretch0.12.0-2vulnerable
stretch (security)0.12.0-2+deb9u1fixed
buster, sid0.14.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libapache2-mod-auth-mellonsource(unstable)0.14.2-1medium
libapache2-mod-auth-mellonsourcestretch0.12.0-2+deb9u1mediumDSA-4414-1

Notes

[jessie] - libapache2-mod-auth-mellon <no-dsa> (Open redirect protection not present in the first place)
https://github.com/Uninett/mod_auth_mellon/commit/62041428a32de402e0be6ba45fe12df6a83bedb8

Search for package or bug name: Reporting problems