|Description||mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 18.104.22.168, the 3rd-party init SSO functionality of mod_auth_openidc was reported to be vulnerable to an open redirect attack by supplying a crafted URL in the `target_link_uri` parameter. A patch in version 22.214.171.124 made it so that the `OIDCRedirectURLsAllowed` setting must be applied to the `target_link_uri` parameter. There are no known workarounds aside from upgrading to a patched version.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
Vulnerable and fixed packages
The table below lists information on source packages.
The information below is based on the following data on fixed versions.
[bullseye] - libapache2-mod-auth-openidc <no-dsa> (Minor issue; can be fixed via point release)
[buster] - libapache2-mod-auth-openidc <no-dsa> (Minor issue; can be fixed via point release)
[stretch] - libapache2-mod-auth-openidc <no-dsa> (Minor issue)