CVE-2021-39191

NameCVE-2021-39191
Descriptionmod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9.4, the 3rd-party init SSO functionality of mod_auth_openidc was reported to be vulnerable to an open redirect attack by supplying a crafted URL in the `target_link_uri` parameter. A patch in version 2.4.9.4 made it so that the `OIDCRedirectURLsAllowed` setting must be applied to the `target_link_uri` parameter. There are no known workarounds aside from upgrading to a patched version.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3499-1
Debian Bugs993648

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libapache2-mod-auth-openidc (PTS)bullseye2.4.9.4-0+deb11u4fixed
bullseye (security)2.4.9.4-0+deb11u3fixed
bookworm2.4.12.3-2+deb12u2fixed
sid, trixie2.4.16.5-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libapache2-mod-auth-openidcsourcebuster2.3.10.2-1+deb10u3DLA-3499-1
libapache2-mod-auth-openidcsourcebullseye2.4.9.4-0+deb11u1
libapache2-mod-auth-openidcsource(unstable)2.4.9.4-1993648

Notes

[stretch] - libapache2-mod-auth-openidc <no-dsa> (Minor issue)
https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-2pgf-8h6h-gqg2
https://github.com/zmartzone/mod_auth_openidc/commit/03e6bfb446f4e3f27c003d30d6a433e5dd8e2b3d
https://github.com/zmartzone/mod_auth_openidc/issues/672
Search for package or bug name: Reporting problems