CVE-2022-23527

CVSS V2 None CVSS V3 None
Description
mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Versions prior to 2.4.12.2 are vulnerable to Open Redirect. When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url() does not properly check for URLs that start with /\t, leading to an open redirect. This issue has been patched in version 2.4.12.2. Users unable to upgrade can mitigate the issue by configuring mod_auth_openidc to only allow redirection when the destination matches a given regular expression with OIDCRedirectURLsAllowed.
Overview
  • CVE ID
  • CVE-2022-23527
  • Assigner
  • security-advisories@github.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2022-12-14T18:15:20
  • Last Modified Date
  • 2023-05-25T20:18:46
Weakness Enumerations
CWE URL
CWE-601 http://cwe.mitre.org/data/definitions/601.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:zmartzone:mod_auth_openidc:*:*:*:*:*:*:*:* 1 OR 2.4.12.2
References
Reference URL Reference Tags
https://github.com/zmartzone/mod_auth_openidc/blob/v2.4.12.1/auth_openidc.conf#L975-L984
https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-q6f2-285m-gr53
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2022-23527
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23527
History
Created Old Value New Value Data Type Notes
2022-12-14 19:16:32 Added to TrackCVE
2022-12-18 04:35:35 2022-12-14T18:15:20.850 2022-12-14T18:15:20 CVE Published Date updated
2022-12-18 04:35:36 2022-12-16T20:50:44 CVE Modified Date updated
2022-12-18 04:35:36 Awaiting Analysis Analyzed Vulnerability Status updated
2022-12-18 04:35:42 CPE Information updated
2023-05-25 21:03:07 2023-05-25T20:18:46 CVE Modified Date updated