What is CVE-2022-23527?

CVE-2022-23527 is a vulnerability in the mod_auth_openidc module for Apache 2.x that allows for Open Redirect attacks.

What versions of mod_auth_openidc are affected by CVE-2022-23527?

Versions prior to 2.4.12.2 of mod_auth_openidc are affected by CVE-2022-23527.

What is the severity of CVE-2022-23527?

CVE-2022-23527 has a severity rating of 6.1 (Medium).

How does CVE-2022-23527 work?

CVE-2022-23527 works by not properly checking the logout parameter in the redirect URI, allowing for Open Redirect attacks.

How can I fix CVE-2022-23527?

To fix CVE-2022-23527, update mod_auth_openidc to version 2.4.12.2 or later.

Vulnerability/
CVE-2022-23527

medium

6.1

CWE

601

14/12/2022

3/8/2024

CVE-2022-23527: Open Redirect in oidc_validate_redirect_url()

First published: Wed Dec 14 2022(Updated: )

mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Versions prior to 2.4.12.2 are vulnerable to Open Redirect. When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url() does not properly check for URLs that start with /\t, leading to an open redirect. This issue has been patched in version 2.4.12.2. Users unable to upgrade can mitigate the issue by configuring mod_auth_openidc to only allow redirection when the destination matches a given regular expression with OIDCRedirectURLsAllowed.

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
Openidc Mod Auth Openidc	<2.4.12.2
Debian Debian Linux	=10.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2022-23527?
CVE-2022-23527 is a vulnerability in the mod_auth_openidc module for Apache 2.x that allows for Open Redirect attacks.
What versions of mod_auth_openidc are affected by CVE-2022-23527?
Versions prior to 2.4.12.2 of mod_auth_openidc are affected by CVE-2022-23527.
What is the severity of CVE-2022-23527?
CVE-2022-23527 has a severity rating of 6.1 (Medium).
How does CVE-2022-23527 work?
CVE-2022-23527 works by not properly checking the logout parameter in the redirect URI, allowing for Open Redirect attacks.
How can I fix CVE-2022-23527?
To fix CVE-2022-23527, update mod_auth_openidc to version 2.4.12.2 or later.

collector/nvd-index
agent/author
agent/type
agent/softwarecombine
agent/weakness
agent/references
agent/description
collector/nvd-api
agent/software-canonical-lookup-request
collector/mitre-cve
source/MITRE
agent/title
agent/severity
agent/last-modified-date
agent/event
agent/first-publish-date
agent/tags
vendor/openidc
canonical/openidc mod auth openidc
vendor/debian
canonical/debian debian linux
version/debian debian linux/10.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.