CVE-2021-39191

NameCVE-2021-39191
Descriptionmod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9.4, the 3rd-party init SSO functionality of mod_auth_openidc was reported to be vulnerable to an open redirect attack by supplying a crafted URL in the `target_link_uri` parameter. A patch in version 2.4.9.4 made it so that the `OIDCRedirectURLsAllowed` setting must be applied to the `target_link_uri` parameter. There are no known workarounds aside from upgrading to a patched version.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs993648

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libapache2-mod-auth-openidc (PTS)stretch2.1.6-1vulnerable
stretch (security)2.1.6-1+deb9u1vulnerable
buster2.3.10.2-1vulnerable
bullseye2.4.9-1vulnerable
bookworm, sid2.4.11.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libapache2-mod-auth-openidcsource(unstable)2.4.9.4-1993648

Notes

[bullseye] - libapache2-mod-auth-openidc <no-dsa> (Minor issue; can be fixed via point release)
[buster] - libapache2-mod-auth-openidc <no-dsa> (Minor issue; can be fixed via point release)
[stretch] - libapache2-mod-auth-openidc <no-dsa> (Minor issue)
https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-2pgf-8h6h-gqg2
https://github.com/zmartzone/mod_auth_openidc/commit/03e6bfb446f4e3f27c003d30d6a433e5dd8e2b3d
https://github.com/zmartzone/mod_auth_openidc/issues/672

Search for package or bug name: Reporting problems