Fluid Attacks Database

Description

mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9.4, the 3rd-party init SSO functionality of mod_auth_openidc was reported to be vulnerable to an open redirect attack by supplying a crafted URL in the target_link_uri parameter. A patch in version 2.4.9.4 made it so that the OIDCRedirectURLsAllowed setting must be applied to the target_link_uri parameter. There are no known workarounds aside from upgrading to a patched version.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	libapache2-mod-auth-openidc	>=0 <2.4.9.4-1	2.4.9.4-1
debian 13	libapache2-mod-auth-openidc	>=0 <2.4.9.4-1	2.4.9.4-1
debian 14	libapache2-mod-auth-openidc	>=0 <2.4.9.4-1	2.4.9.4-1
debian 11	libapache2-mod-auth-openidc	=2.4.9-1 \|\| >=0 <2.4.9.4-0+deb11u1	2.4.9.4-0+deb11u1
rpm rhel7	mod_auth_openidc	-	-
rpm rhel8	mod_auth_openidc	<0:2.3.7-11.module+el8.6.0+14082+b6f23e95	0:2.3.7-11.module+el8.6.0+14082+b6f23e95

Aliases

1. CVE-2021-391912. NVD-2021-391913. OSV-DEBIAN-2021-391914. OSV-2021-391915. SECURITY-TRACKER-CVE-2021-39191

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.