Vulnerability Details CVE-2017-6062
The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.5 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "OIDCUnAuthAction pass" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 60.5%
CVSS Severity
CVSS v3 Score 8.6
CVSS v2 Score 5.0
References
- https://github.com/pingidentity/mod_auth_openidc/blob/master/ChangeLog
- https://github.com/pingidentity/mod_auth_openidc/issues/222
- https://github.com/pingidentity/mod_auth_openidc/releases/tag/v2.1.5
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V3HIGXMUKJGOBMAQAQPGC7G5YYWSUVA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EJXBG3DG2FUYFGTUTSJFMPIINVFKKB4Z/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTWUMQ46GZY3O4WU4JCF333LN53R2XQH/
- https://github.com/pingidentity/mod_auth_openidc/blob/master/ChangeLog
- https://github.com/pingidentity/mod_auth_openidc/issues/222
- https://github.com/pingidentity/mod_auth_openidc/releases/tag/v2.1.5
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V3HIGXMUKJGOBMAQAQPGC7G5YYWSUVA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EJXBG3DG2FUYFGTUTSJFMPIINVFKKB4Z/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTWUMQ46GZY3O4WU4JCF333LN53R2XQH/
Products affected by CVE-2017-6062
-
cpe:2.3:a:openidc:mod_auth_openidc:-
-
cpe:2.3:a:openidc:mod_auth_openidc:1.5
-
cpe:2.3:a:openidc:mod_auth_openidc:1.5.1
-
cpe:2.3:a:openidc:mod_auth_openidc:1.5.2
-
cpe:2.3:a:openidc:mod_auth_openidc:1.5.3
-
cpe:2.3:a:openidc:mod_auth_openidc:1.5.4
-
cpe:2.3:a:openidc:mod_auth_openidc:1.5.5
-
cpe:2.3:a:openidc:mod_auth_openidc:1.6.0
-
cpe:2.3:a:openidc:mod_auth_openidc:1.7.0
-
cpe:2.3:a:openidc:mod_auth_openidc:1.7.1
-
cpe:2.3:a:openidc:mod_auth_openidc:1.7.2
-
cpe:2.3:a:openidc:mod_auth_openidc:1.7.3
-
cpe:2.3:a:openidc:mod_auth_openidc:1.8.0
-
cpe:2.3:a:openidc:mod_auth_openidc:1.8.1
-
cpe:2.3:a:openidc:mod_auth_openidc:1.8.10
-
cpe:2.3:a:openidc:mod_auth_openidc:1.8.10.1
-
cpe:2.3:a:openidc:mod_auth_openidc:1.8.10.2
-
cpe:2.3:a:openidc:mod_auth_openidc:1.8.10.3
-
cpe:2.3:a:openidc:mod_auth_openidc:1.8.2
-
cpe:2.3:a:openidc:mod_auth_openidc:1.8.3
-
cpe:2.3:a:openidc:mod_auth_openidc:1.8.4
-
cpe:2.3:a:openidc:mod_auth_openidc:1.8.5
-
cpe:2.3:a:openidc:mod_auth_openidc:1.8.6
-
cpe:2.3:a:openidc:mod_auth_openidc:1.8.7
-
cpe:2.3:a:openidc:mod_auth_openidc:1.8.8
-
cpe:2.3:a:openidc:mod_auth_openidc:1.8.9
-
cpe:2.3:a:openidc:mod_auth_openidc:2.0.0
-
cpe:2.3:a:openidc:mod_auth_openidc:2.1.0
-
cpe:2.3:a:openidc:mod_auth_openidc:2.1.1
-
cpe:2.3:a:openidc:mod_auth_openidc:2.1.2
-
cpe:2.3:a:openidc:mod_auth_openidc:2.1.3
-
cpe:2.3:a:openidc:mod_auth_openidc:2.1.4