{"api_version":"1","generated_at":"2026-04-22T23:31:36+00:00","cve":"CVE-2021-32786","urls":{"html":"https://cve.report/CVE-2021-32786","api":"https://cve.report/api/cve/CVE-2021-32786.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-32786","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-32786"},"summary":{"title":"CVE-2021-32786","description":"mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9, `oidc_validate_redirect_url()` does not parse URLs the same way as most browsers do. As a result, this function can be bypassed and leads to an Open Redirect vulnerability in the logout functionality. This bug has been fixed in version 2.4.9 by replacing any backslash of the URL to redirect with slashes to address a particular breaking change between the different specifications (RFC2396 / RFC3986 and WHATWG). As a workaround, this vulnerability can be mitigated by configuring `mod_auth_openidc` to only allow redirection whose destination matches a given regular expression.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2021-07-22 22:15:00","updated_at":"2023-11-07 03:35:00"},"problem_types":["CWE-601"],"metrics":[],"references":[{"url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00034.html","name":"[debian-lts-announce] 20230430 [SECURITY] [DLA 3409-1] libapache2-mod-auth-openidc security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3409-1] libapache2-mod-auth-openidc security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXAWKPT5LXZSUTFSJ6IWSZC7RMYYQXQD/","name":"FEDORA-2021-17f5cedf66","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 33 Update: mod_auth_openidc-2.4.9-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.oracle.com/security-alerts/cpuapr2022.html","name":"https://www.oracle.com/security-alerts/cpuapr2022.html","refsource":"MISC","tags":[],"title":"Oracle Critical Patch Update Advisory - April 2022","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.4.9","name":"https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.4.9","refsource":"MISC","tags":[],"title":"Release release 2.4.9 · zmartzone/mod_auth_openidc · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QXAWKPT5LXZSUTFSJ6IWSZC7RMYYQXQD/","name":"FEDORA-2021-17f5cedf66","refsource":"","tags":[],"title":"[SECURITY] Fedora 33 Update: mod_auth_openidc-2.4.9-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20210902-0001/","name":"https://security.netapp.com/advisory/ntap-20210902-0001/","refsource":"CONFIRM","tags":[],"title":"July 2021 Apache HTTP Server Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZVF6BSJLRQZ7PFFR4X5JSU6KUJYNOCU/","name":"FEDORA-2021-e3017c538a","refsource":"","tags":[],"title":"[SECURITY] Fedora 34 Update: mod_auth_openidc-2.4.9-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FZVF6BSJLRQZ7PFFR4X5JSU6KUJYNOCU/","name":"FEDORA-2021-e3017c538a","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: mod_auth_openidc-2.4.9-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/zmartzone/mod_auth_openidc/commit/3a115484eb927bc6daa5737dd84f88ff4bbc5544","name":"https://github.com/zmartzone/mod_auth_openidc/commit/3a115484eb927bc6daa5737dd84f88ff4bbc5544","refsource":"MISC","tags":[],"title":"Merge pull request from GHSA-xm4c-5wm5-jqv7 · zmartzone/mod_auth_openidc@3a11548 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://daniel.haxx.se/blog/2017/01/30/one-url-standard-please/","name":"https://daniel.haxx.se/blog/2017/01/30/one-url-standard-please/","refsource":"MISC","tags":[],"title":"One URL standard please | daniel.haxx.se","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-xm4c-5wm5-jqv7","name":"https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-xm4c-5wm5-jqv7","refsource":"CONFIRM","tags":[],"title":"Open Redirect in oidc_validate_redirect_url() · Advisory · zmartzone/mod_auth_openidc · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-32786","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32786","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"32786","vulnerable":"-1","versionEndIncluding":"2.4.48","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"http_server","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"32786","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"33","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"32786","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"34","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"32786","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"openidc","cpe5":"mod_auth_openidc","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"32786","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"zmartzone","cpe5":"mod_auth_openidc","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-32786","qid":"159800","title":"Oracle Enterprise Linux Security Update for mod_auth_openidc:2.3 (ELSA-2022-1823)"},{"cve":"CVE-2021-32786","qid":"179805","title":"Debian Security Update for libapache2-mod-auth-openidc (CVE-2021-32786)"},{"cve":"CVE-2021-32786","qid":"181758","title":"Debian Security Update for libapache2-mod-auth-openidc (DLA 3409-1)"},{"cve":"CVE-2021-32786","qid":"240273","title":"Red Hat Update for mod_auth_openidc:2.3 (RHSA-2022:1823)"},{"cve":"CVE-2021-32786","qid":"281777","title":"Fedora Security Update for mod_auth_openidc (FEDORA-2021-17f5cedf66)"},{"cve":"CVE-2021-32786","qid":"281778","title":"Fedora Security Update for mod_auth_openidc (FEDORA-2021-e3017c538a)"},{"cve":"CVE-2021-32786","qid":"377581","title":"Alibaba Cloud Linux Security Update for mod_auth_openidc:2.3 (ALINUX3-SA-2022:0135)"},{"cve":"CVE-2021-32786","qid":"751134","title":"OpenSUSE Security Update for apache2-mod_auth_openidc (openSUSE-SU-2021:3020-1)"},{"cve":"CVE-2021-32786","qid":"751149","title":"OpenSUSE Security Update for apache2-mod_auth_openidc (openSUSE-SU-2021:1277-1)"},{"cve":"CVE-2021-32786","qid":"751211","title":"SUSE Enterprise Linux Security Update for apache2-mod_auth_openidc (SUSE-SU-2021:3352-1)"},{"cve":"CVE-2021-32786","qid":"901439","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for httpd (6480-1)"},{"cve":"CVE-2021-32786","qid":"940537","title":"AlmaLinux Security Update for mod_auth_openidc:2.3 (ALSA-2022:1823)"},{"cve":"CVE-2021-32786","qid":"960287","title":"Rocky Linux Security Update for mod_auth_openidc:2.3 (RLSA-2022:1823)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2021-32786","STATE":"PUBLIC","TITLE":"Open Redirect in oidc_validate_redirect_url()"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"mod_auth_openidc","version":{"version_data":[{"version_value":"< 2.4.9"}]}}]},"vendor_name":"zmartzone"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9, `oidc_validate_redirect_url()` does not parse URLs the same way as most browsers do. As a result, this function can be bypassed and leads to an Open Redirect vulnerability in the logout functionality. This bug has been fixed in version 2.4.9 by replacing any backslash of the URL to redirect with slashes to address a particular breaking change between the different specifications (RFC2396 / RFC3986 and WHATWG). As a workaround, this vulnerability can be mitigated by configuring `mod_auth_openidc` to only allow redirection whose destination matches a given regular expression."}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.7,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"}]}]},"references":{"reference_data":[{"name":"https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.4.9","refsource":"MISC","url":"https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.4.9"},{"name":"https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-xm4c-5wm5-jqv7","refsource":"CONFIRM","url":"https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-xm4c-5wm5-jqv7"},{"name":"https://github.com/zmartzone/mod_auth_openidc/commit/3a115484eb927bc6daa5737dd84f88ff4bbc5544","refsource":"MISC","url":"https://github.com/zmartzone/mod_auth_openidc/commit/3a115484eb927bc6daa5737dd84f88ff4bbc5544"},{"name":"https://daniel.haxx.se/blog/2017/01/30/one-url-standard-please/","refsource":"MISC","url":"https://daniel.haxx.se/blog/2017/01/30/one-url-standard-please/"},{"refsource":"FEDORA","name":"FEDORA-2021-e3017c538a","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FZVF6BSJLRQZ7PFFR4X5JSU6KUJYNOCU/"},{"refsource":"FEDORA","name":"FEDORA-2021-17f5cedf66","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXAWKPT5LXZSUTFSJ6IWSZC7RMYYQXQD/"},{"url":"https://www.oracle.com/security-alerts/cpuapr2022.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20210902-0001/","url":"https://security.netapp.com/advisory/ntap-20210902-0001/"},{"refsource":"MLIST","name":"[debian-lts-announce] 20230430 [SECURITY] [DLA 3409-1] libapache2-mod-auth-openidc security update","url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00034.html"}]},"source":{"advisory":"GHSA-xm4c-5wm5-jqv7","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2021-07-22 22:15:00","lastModifiedDate":"2023-11-07 03:35:00","problem_types":["CWE-601"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5.8},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:openidc:mod_auth_openidc:*:*:*:*:*:*:*:*","versionEndExcluding":"2.4.9","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*","versionStartIncluding":"2.0.0","versionEndIncluding":"2.4.48","cpe_name":[]}]}],"cpe_match":[]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"32786","Ordinal":"208174","Title":"CVE-2021-32786","CVE":"CVE-2021-32786","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"32786","Ordinal":"1","NoteData":"mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9, `oidc_validate_redirect_url()` does not parse URLs the same way as most browsers do. As a result, this function can be bypassed and leads to an Open Redirect vulnerability in the logout functionality. This bug has been fixed in version 2.4.9 by replacing any backslash of the URL to redirect with slashes to address a particular breaking change between the different specifications (RFC2396 / RFC3986 and WHATWG). As a workaround, this vulnerability can be mitigated by configuring `mod_auth_openidc` to only allow redirection whose destination matches a given regular expression.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"32786","Ordinal":"2","NoteData":"2021-07-22","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"32786","Ordinal":"3","NoteData":"2021-09-02","Type":"Other","Title":"Modified"}]}}}