CVE-2019-3877

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions mod auth mellon versions prior to 0.14.2

Description A vulnerability in mod auth mellon allows an open redirect in the logout URL, where requests with backslashes are treated as relative URLs, while browsers convert them to forward slashes, treating them as absolute URLs. This mismatch enables an attacker to bypass the redirect URL validation logic in the apr uri parse function. The issue can be exploited by a remote attacker to redirect users to a malicious site.

Recommendations For mod auth mellon versions prior to 0.14.2, update to version 0.14.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the logout URL to minimize the risk of exploitation.

Fix

Open Redirect

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-601

Related Identifiers

BDU:2019-01561

CESA-2019_0766

CESA-2019_3421

CVE-2019-3877

DSA-4414-1

RHSA-2019:0766

RHSA-2019:3421

RHSA-2019_0766

RHSA-2019_3421

USN-3924-1

USN-4597-1

Affected Products

Centos

Red Hat

Ubuntu

Mod Auth Mellon

CVE-2019-3877

Weakness Enumeration

Related Identifiers

Affected Products

References · 25