Home > Vulnerability Database > CVE-2021-32786

Mend.io Vulnerability Database

CVE-2021-32786

Date: July 21, 2021

mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9, "oidc_validate_redirect_url()" does not parse URLs the same way as most browsers do. As a result, this function can be bypassed and leads to an Open Redirect vulnerability in the logout functionality. This bug has been fixed in version 2.4.9 by replacing any backslash of the URL to redirect with slashes to address a particular breaking change between the different specifications (RFC2396 / RFC3986 and WHATWG). As a workaround, this vulnerability can be mitigated by configuring "mod_auth_openidc" to only allow redirection whose destination matches a given regular expression.

Language: C

Severity Score

4.7

Related Resources (16)

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZVF6BSJLRQZ7PFFR4X5JSU6KUJYNOCU/

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2021-32786

Url: https://lists.debian.org/debian-lts-announce/2023/04/msg00034.html

Url: https://security-tracker.debian.org/tracker/CVE-2021-32786

Url: https://security.netapp.com/advisory/ntap-20210902-0001/

Url: https://daniel.haxx.se/blog/2017/01/30/one-url-standard-please/

Url: https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-xm4c-5wm5-jqv7

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QXAWKPT5LXZSUTFSJ6IWSZC7RMYYQXQD/

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-32786

Url: https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.4.9

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FZVF6BSJLRQZ7PFFR4X5JSU6KUJYNOCU/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXAWKPT5LXZSUTFSJ6IWSZC7RMYYQXQD/

Url: https://www.oracle.com/security-alerts/cpuapr2022.html

Url: https://github.com/zmartzone/mod_auth_openidc/commit/3a115484eb927bc6daa5737dd84f88ff4bbc5544

Url: https://access.redhat.com/security/cve/CVE-2021-32786

Url: https://www.mend.io/vulnerability-database/CVE-2021-32786

Severity Score

4.7

Weakness Type (CWE)

URL Redirection to Untrusted Site ('Open Redirect')

CWE-601

CVSS v3.1

Base Score:	4.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

CVSS v2

Base Score:	5.8
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2021-32786

Date: July 21, 2021

Language: C

Severity Score

Related Resources (16)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?