CVE-2021-3639

NameCVE-2021-3639
DescriptionA flaw was found in mod_auth_mellon where it does not sanitize logout URLs properly. This issue could be used by an attacker to facilitate phishing attacks by tricking users into visiting a trusted web application URL that redirects to an external and potentially malicious server. The highest threat from this liability is to confidentiality and integrity.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3359-1
Debian Bugs991730

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libapache2-mod-auth-mellon (PTS)buster0.14.2-1vulnerable
buster (security)0.14.2-1+deb10u1fixed
bullseye0.17.0-1+deb11u1fixed
bookworm0.18.1-1fixed
sid, trixie0.19.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libapache2-mod-auth-mellonsourcebuster0.14.2-1+deb10u1DLA-3359-1
libapache2-mod-auth-mellonsourcebullseye0.17.0-1+deb11u1
libapache2-mod-auth-mellonsource(unstable)0.18.0-1991730

Notes

[stretch] - libapache2-mod-auth-mellon <no-dsa> (Minor issue)
https://github.com/latchset/mod_auth_mellon/commit/42a11261b9dad2e48d70bdff7c53dd57a12db6f5
Search for package or bug name: Reporting problems