CVE-2019-3878

Name of the Vulnerable Software and Affected Versions mod auth mellon versions prior to 0.14.2

Description A vulnerability was found that allows bypassing authentication in certain configurations. If Apache is set up as a reverse proxy and mod auth mellon is configured to only allow authenticated users, an attacker can add special HTTP headers to bypass authentication. These headers are normally used to start the SAML ECP (non-browser based) flow. The issue is related to the register hooks() function and can be exploited by a remote attacker to bypass existing access controls by using special HTTP headers.

Recommendations For mod auth mellon versions prior to 0.14.2, update to version 0.14.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the register hooks() function or disabling the SAML ECP flow until a patch is applied. Avoid using the require valid-user directive in configurations where mod auth mellon is used as a reverse proxy until the issue is resolved.