Honza801

**Name of the Vulnerable Software and Affected Versions** Open OnDemand versions prior to 4.1 **Description** Open OnDemand provides remote web access to supercomputers. The Apache proxy in versions 4.0.8 and earlier allows sensitive headers to be passed to origin servers. This could allow malicious users to create an origin server on a compute node to record these headers when unsuspecting users connect to it. The `OIDCPassClaimsAs` setting can be adjusted to `none` or `environment` to stop passing headers to the client. For centers with an OIDC provider, the `mod auth openidc session` cookies can be adjusted using guidance provided in GHSA-2cwp-8g29-9q32. **Recommendations** Versions prior to 4.1 should be updated when the 4.1 release is available. For versions 4.0.x, use `custom location directives` in `ood portal.yml` to unset or edit sensitive headers. Set `OIDCPassClaimsAs` to `none` or `environment`. Adjust the `mod auth openidc session` cookies using guidance provided in GHSA-2cwp-8g29-9q32 for centers with an OIDC provider.