CVE-2019-3878 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2019-3878

CVE-2019-3878

March 26, 2019

A vulnerability was found in mod_auth_mellon before v0.14.2. If Apache is configured as a reverse proxy and mod_auth_mellon is configured to only let through authenticated users (with the require valid-user directive), adding special HTTP headers that are normally used to start the special SAML ECP (non-browser based) can be used to bypass authentication.

Related Resources (14)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X7NLAU7KROWNTHAYSA2S67X347F42L2I/

https://access.redhat.com/errata/RHSA-2019:0746

https://people.canonical.com/~ubuntu-security/cve/CVE-2019-3878

https://access.redhat.com/errata/RHBA-2019:0959

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X7NLAU7KROWNTHAYSA2S67X347F42L2I/

https://access.redhat.com/security/cve/CVE-2019-3878

https://access.redhat.com/errata/RHSA-2019:0766

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CNW5YMC5TLWVWNJEY6AIWNSNPRAMWPQJ/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CNW5YMC5TLWVWNJEY6AIWNSNPRAMWPQJ/

https://usn.ubuntu.com/3924-1/

https://security-tracker.debian.org/tracker/CVE-2019-3878