PT-2023-9329 · Apache+6 · Apache Http Server+6

Amaury4Sg

Publicado

2023-04-03

Atualizado

2025-12-29

CVE-2023-28625

CVSS v2.0

7.8

Alta

Vetor

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions mod auth openidc versions 2.0.0 through 2.4.13.1

Description The issue is related to the mod auth openidc module for the Apache 2.x HTTP server, which implements OpenID Connect Relying Party functionality. When OIDCStripCookies is set and a crafted cookie is supplied, a NULL pointer dereference occurs, resulting in a segmentation fault. This can be used in a Denial-of-Service attack, presenting an availability risk.

Recommendations For mod auth openidc versions 2.0.0 through 2.4.13.1, update to version 2.4.13.2 to resolve the issue. As a temporary workaround, avoid using OIDCStripCookies to minimize the risk of exploitation.

Exploit

Correção

DoS

NULL Pointer Dereference

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-476

Identificadores relacionados

ALSA-2023:6365

ALSA-2023:6940

ALT-PU-2023-8441

AZL-26772

BDU:2024-06538

CESA-2023_6940

CVE-2023-28625

DLA-3409-1

DSA-5405-1

GHSA-F5XW-RVFR-24QR

OESA-2023-1235

OESA-2023-1236

RHSA-2023:6365

RHSA-2023:6940

RHSA-2023_6365

RHSA-2023_6940

SUSE-SU-2023:1837-1

SUSE-SU-2023:1849-1

SUSE-SU-2023_1849-1

SUSE-SU-2025:4532-1

Produtos afetados

Alt Linux

Almalinux

Apache Http Server

Centos

Red Hat

Red Os

Suse

PT-2023-9329 · Apache+6 · Apache Http Server+6

CVE-2023-28625

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 65