First published: Wed Mar 20 2019(Updated: )
A vulnerability was found in mod_auth_mellon before v0.14.2. An open redirect in the logout URL allows requests with backslashes to pass through by assuming that it is a relative URL, while the browsers silently convert backslash characters into forward slashes treating them as an absolute URL. This mismatch allows an attacker to bypass the redirect URL validation logic in apr_uri_parse function.
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Mod Auth Mellon Project Mod Auth Mellon | <0.14.2 | |
Fedoraproject Fedora | =29 | |
Redhat Enterprise Linux | =7.0 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =18.10 | |
redhat/mod_auth_mellon | <0.14.2 | 0.14.2 |
debian/libapache2-mod-auth-mellon | 0.17.0-1+deb11u1 0.18.1-1 0.19.1-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-3877 is a vulnerability found in mod_auth_mellon before v0.14.2.
The severity of CVE-2019-3877 is medium with a CVSS score of 6.1.
CVE-2019-3877 affects mod_auth_mellon before version 0.14.2.
To fix CVE-2019-3877, update mod_auth_mellon to version 0.14.2 or higher.
You can find more information about CVE-2019-3877 at the following references: [Link 1], [Link 2], [Link 3].