CVE-2022-23527

NameCVE-2022-23527
Descriptionmod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Versions prior to 2.4.12.2 are vulnerable to Open Redirect. When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url() does not properly check for URLs that start with /\t, leading to an open redirect. This issue has been patched in version 2.4.12.2. Users unable to upgrade can mitigate the issue by configuring mod_auth_openidc to only allow redirection when the destination matches a given regular expression with OIDCRedirectURLsAllowed.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3499-1
Debian Bugs1026444

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libapache2-mod-auth-openidc (PTS)buster2.3.10.2-1+deb10u1vulnerable
buster (security)2.3.10.2-1+deb10u3fixed
bullseye2.4.9.4-0+deb11u2fixed
bullseye (security)2.4.9.4-0+deb11u3fixed
bookworm2.4.12.3-2fixed
sid, trixie2.4.14.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libapache2-mod-auth-openidcsourcebuster2.3.10.2-1+deb10u3DLA-3499-1
libapache2-mod-auth-openidcsourcebullseye2.4.9.4-0+deb11u2
libapache2-mod-auth-openidcsource(unstable)2.4.12.2-11026444

Notes

https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-q6f2-285m-gr53
https://github.com/zmartzone/mod_auth_openidc/commit/87119f44b9a88312dbc1f752d720bcd2371b94a8 (v2.4.12.2)
Search for package or bug name: Reporting problems