PT-2019-1903 · Apache+3 · Mod Auth Mellon+3

Garudlaksha1

Publicado

2019-03-20

Atualizado

2023-05-25

CVE-2019-3877

CVSS v3.1

6.1

Média

Vetor

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions mod auth mellon versions prior to 0.14.2

Description A vulnerability in mod auth mellon allows an open redirect in the logout URL, where requests with backslashes are treated as relative URLs, while browsers convert them to forward slashes, treating them as absolute URLs. This mismatch enables an attacker to bypass the redirect URL validation logic in the apr uri parse function. The issue can be exploited by a remote attacker to redirect users to a malicious site.

Recommendations For mod auth mellon versions prior to 0.14.2, update to version 0.14.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the logout URL to minimize the risk of exploitation.

Correção

Open Redirect

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-601

Identificadores relacionados

BDU:2019-01561

CESA-2019_0766

CESA-2019_3421

CVE-2019-3877

DSA-4414-1

RHSA-2019:0766

RHSA-2019:3421

RHSA-2019_0766

RHSA-2019_3421

USN-3924-1

USN-4597-1

Produtos afetados

Centos

Red Hat

Ubuntu

Mod Auth Mellon

PT-2019-1903 · Apache+3 · Mod Auth Mellon+3

CVE-2019-3877

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 25