CVE-2021-32786: Open Redirect in oidc_validate_redirect_url()
First published: Thu Jul 22 2021(Updated: )
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9, `oidc_validate_redirect_url()` does not parse URLs the same way as most browsers do. As a result, this function can be bypassed and leads to an Open Redirect vulnerability in the logout functionality. This bug has been fixed in version 2.4.9 by replacing any backslash of the URL to redirect with slashes to address a particular breaking change between the different specifications (RFC2396 / RFC3986 and WHATWG). As a workaround, this vulnerability can be mitigated by configuring `mod_auth_openidc` to only allow redirection whose destination matches a given regular expression.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Openidc Mod Auth Openidc | <2.4.9 | |
| Apache HTTP server | >=2.0.0<=2.4.48 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://daniel.haxx.se/blog/2017/01/30/one-url-standard-please/
- https://github.com/zmartzone/mod_auth_openidc/commit/3a115484eb927bc6daa5737dd84f88ff4bbc5544
- https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.4.9
- https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-xm4c-5wm5-jqv7
- https://lists.debian.org/debian-lts-announce/2023/04/msg00034.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FZVF6BSJLRQZ7PFFR4X5JSU6KUJYNOCU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXAWKPT5LXZSUTFSJ6IWSZC7RMYYQXQD/
- https://security.netapp.com/advisory/ntap-20210902-0001/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZVF6BSJLRQZ7PFFR4X5JSU6KUJYNOCU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QXAWKPT5LXZSUTFSJ6IWSZC7RMYYQXQD/
Frequently Asked Questions
What is CVE-2021-32786?
CVE-2021-32786 is a vulnerability in the mod_auth_openidc module that allows an attacker to bypass security controls and potentially perform unauthorized actions.
What is mod_auth_openidc?
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party.
What does CVE-2021-32786 affect?
CVE-2021-32786 affects mod_auth_openidc versions prior to 2.4.9.
How does CVE-2021-32786 work?
CVE-2021-32786 is caused by the `oidc_validate_redirect_url()` function not parsing URLs correctly, which can lead to security bypass vulnerabilities.
How can I fix CVE-2021-32786?
To fix CVE-2021-32786, update mod_auth_openidc to version 2.4.9 or later.
- collector/nvd-index
- agent/softwarecombine
- agent/type
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/references
- agent/title
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/tags
- vendor/openidc
- canonical/openidc mod auth openidc
- vendor/apache
- canonical/apache http server
- version/apache http server/2.0.0
- version/apache http server/2.4.48
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34