CVE-2023-28625
Summary
| CVE | CVE-2023-28625 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2023-04-03 14:15:00 UTC |
|---|
| Updated | 2023-05-31 20:15:00 UTC |
|---|
| Description | mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when `OIDCStripCookies` is set and a crafted cookie supplied, a NULL pointer dereference would occur, resulting in a segmentation fault. This could be used in a Denial-of-Service attack and thus presents an availability risk. Version 2.4.13.2 contains a patch for this issue. As a workaround, avoid using `OIDCStripCookies`. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| segfault DoS when OIDCStripCookies is set · Advisory · OpenIDC/mod_auth_openidc · GitHub |
MISC |
github.com |
|
| Debian -- Security Information -- DSA-5405-1 libapache2-mod-auth-openidc |
MISC |
www.debian.org |
|
| 2.4.13.2: prevent DoS core dump with OIDCStripCookies; CVE-2023-28625 · OpenIDC/mod_auth_openidc@c0e1eda · GitHub |
MISC |
github.com |
|
| [SECURITY] Fedora 38 Update: mod_auth_openidc-2.4.13.2-1.fc38 - package-announce - Fedora Mailing-Lists |
MISC |
lists.fedoraproject.org |
|
| Release release 2.4.13.2 · OpenIDC/mod_auth_openidc · GitHub |
MISC |
github.com |
|
| [SECURITY] [DLA 3409-1] libapache2-mod-auth-openidc security update |
MISC |
lists.debian.org |
|
| mod_auth_openidc/src/mod_auth_openidc.c at 3f11976dab56af0a46a7dddb7a275cc16d6eb726 · OpenIDC/mod_auth_openidc · GitHub |
MISC |
github.com |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 161083 Oracle Enterprise Linux Security Update for mod_auth_openidc (ELSA-2023-6365)
- 161183 Oracle Enterprise Linux Security Update for mod_auth_openidc:2.3 (ELSA-2023-6940)
- 181758 Debian Security Update for libapache2-mod-auth-openidc (DLA 3409-1)
- 181791 Debian Security Update for libapache2-mod-auth-openidc (DSA 5405-1)
- 181985 Debian Security Update for libapache2-mod-auth-openidc (CVE-2023-28625)
- 242302 Red Hat Update for mod_auth_openidc (RHSA-2023:6365)
- 242410 Red Hat Update for mod_auth_openidc:2.3 (RHSA-2023:6940)
- 284103 Fedora Security Update for mod_auth_openidc (FEDORA-2023-b534ca7056)
- 753913 SUSE Enterprise Linux Security Update for apache2-mod_auth_openidc (SUSE-SU-2023:1849-1)
- 753996 SUSE Enterprise Linux Security Update for apache2-mod_auth_openidc (SUSE-SU-2023:1837-1)
- 907302 Common Base Linux Mariner (CBL-Mariner) Security Update for mod_auth_openidc (26772-1)
- 941392 AlmaLinux Security Update for mod_auth_openidc (ALSA-2023:6365)
- 941476 AlmaLinux Security Update for mod_auth_openidc:2.3 (ALSA-2023:6940)
