CVE-2022-23527 - OpenCVE

mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Versions prior to 2.4.12.2 are vulnerable to Open Redirect. When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url() does not properly check for URLs that start with /\t, leading to an open redirect. This issue has been patched in version 2.4.12.2. Users unable to upgrade can mitigate the issue by configuring mod_auth_openidc to only allow redirection when the destination matches a given regular expression with OIDCRedirectURLsAllowed.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Openidc	Mod Auth Openidc
Debian	Debian Linux

Configuration 1 [-]

cpe:2.3:a:openidc:mod_auth_openidc:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/zmartzone/mod_auth_openidc/blob/v2.4.12.1/auth_openidc.conf#L975-L984	Product
https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-q6f2-285m-gr53	Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/07/msg00020.html	Mailing List

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-12-14T17:22:30.105Z

Updated: 2023-07-19T00:06:15

Reserved: 2022-01-19T21:23:53.784Z

Link: CVE-2022-23527

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-12-14T18:15:20.850

Modified: 2023-07-21T19:25:39.177

Link: CVE-2022-23527

JSON object: View

Redhat Information

No data.

CWE

CWE-601

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2022-23527", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", "dateReserved": "2022-01-19T21:23:53.784Z", "datePublished": "2022-12-14T17:22:30.105Z", "dateUpdated": "2023-07-19T00:06:15"}, "containers": {"cna": {"title": "Open Redirect in oidc_validate_redirect_url() ", "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "lang": "en", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-q6f2-285m-gr53", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-q6f2-285m-gr53"}, {"name": "https://github.com/zmartzone/mod_auth_openidc/blob/v2.4.12.1/auth_openidc.conf#L975-L984", "tags": ["x_refsource_MISC"], "url": "https://github.com/zmartzone/mod_auth_openidc/blob/v2.4.12.1/auth_openidc.conf#L975-L984"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00020.html"}], "affected": [{"vendor": "zmartzone", "product": "mod_auth_openidc", "versions": [{"version": "< 2.4.12.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-12-14T17:22:30.105Z"}, "descriptions": [{"lang": "en", "value": "mod_auth_openidc is an OpenID Certified\u2122 authentication and authorization module for the Apache 2.x HTTP server. Versions prior to 2.4.12.2 are vulnerable to Open Redirect. When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url() does not properly check for URLs that start with /\\t, leading to an open redirect. This issue has been patched in version 2.4.12.2. Users unable to upgrade can mitigate the issue by configuring mod_auth_openidc to only allow redirection when the destination matches a given regular expression with OIDCRedirectURLsAllowed."}], "source": {"advisory": "GHSA-q6f2-285m-gr53", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openidc:mod_auth_openidc:*:*:*:*:*:*:*:*", "matchCriteriaId": "2154DC4B-791C-45E2-BC99-EB188F6AC62E", "versionEndExcluding": "2.4.12.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "mod_auth_openidc is an OpenID Certified\u2122 authentication and authorization module for the Apache 2.x HTTP server. Versions prior to 2.4.12.2 are vulnerable to Open Redirect. When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url() does not properly check for URLs that start with /\\t, leading to an open redirect. This issue has been patched in version 2.4.12.2. Users unable to upgrade can mitigate the issue by configuring mod_auth_openidc to only allow redirection when the destination matches a given regular expression with OIDCRedirectURLsAllowed."}, {"lang": "es", "value": "mod_auth_openidc tiene certificaci\u00f3n OpenID? M\u00f3dulo de autenticaci\u00f3n y autorizaci\u00f3n para el servidor HTTP Apache 2.x. Las versiones anteriores a la 2.4.12.2 son vulnerables a Open Redirect. Al proporcionar un par\u00e1metro de cierre de sesi\u00f3n al URI de redireccionamiento, el c\u00f3digo existente en oidc_validate_redirect_url() no busca correctamente las URL que comienzan con /\\t, lo que genera un redireccionamiento abierto. Este problema se solucion\u00f3 en la versi\u00f3n 2.4.12.2. Los usuarios que no puedan actualizar pueden mitigar el problema configurando mod_auth_openidc para permitir solo la redirecci\u00f3n cuando el destino coincida con una expresi\u00f3n regular determinada con OIDCRedirectURLsAllowed."}], "id": "CVE-2022-23527", "lastModified": "2023-07-21T19:25:39.177", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-12-14T18:15:20.850", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/zmartzone/mod_auth_openidc/blob/v2.4.12.1/auth_openidc.conf#L975-L984"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-q6f2-285m-gr53"}, {"source": "security-advisories@github.com", "tags": ["Mailing List"], "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00020.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-601"}], "source": "security-advisories@github.com", "type": "Secondary"}]}