Vulnerability Details CVE-2019-13038
mod_auth_mellon through 0.14.2 has an Open Redirect via the login?ReturnTo= substring, as demonstrated by omitting the // after http: in the target URL.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 32.9%
CVSS Severity
CVSS v3 Score 6.1
CVSS v2 Score 4.3
References
- https://github.com/Uninett/mod_auth_mellon/issues/35#issuecomment-503974885
- https://lists.debian.org/debian-lts-announce/2023/03/msg00010.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5E3JVHURJJNDP63CKVX5O5MJAGCQV4K/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XU5GVFZW3C2M4ZBL4F7UP7N24FNUCX4E/
- https://usn.ubuntu.com/4291-1/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/Uninett/mod_auth_mellon/issues/35#issuecomment-503974885
- https://lists.debian.org/debian-lts-announce/2023/03/msg00010.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5E3JVHURJJNDP63CKVX5O5MJAGCQV4K/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XU5GVFZW3C2M4ZBL4F7UP7N24FNUCX4E/
- https://usn.ubuntu.com/4291-1/
- https://www.oracle.com/security-alerts/cpuapr2022.html
Products affected by CVE-2019-13038
-
cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.10.0
-
cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.11.0
-
cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.11.1
-
cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.12.0
-
cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.13.0
-
cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.13.1
-
cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.14.0
-
cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.14.1
-
cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.14.2
-
cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.4.0
-
cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.5.0
-
cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.6.0
-
cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.6.1
-
cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.7.0
-
cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.8.0
-
cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.8.1
-
cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.9.0
-
cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.9.1
-
cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8
-
cpe:2.3:o:canonical:ubuntu_linux:18.04
-
cpe:2.3:o:canonical:ubuntu_linux:18.10
-
cpe:2.3:o:fedoraproject:fedora:30
-
cpe:2.3:o:fedoraproject:fedora:31