PT-2021-4478 · Hiredis+4 · Hiredis+4

Published

2021-07-22

Updated

2025-12-29

CVE-2021-32785

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions mod auth openidc versions prior to 2.4.9

Description The issue is related to the use of uncontrolled format strings in mod auth openidc when configured to use an unencrypted Redis cache. This can lead to a denial of service by repeatedly crashing the Apache workers. The bug is caused by mod auth openidc performing argument interpolation before passing Redis requests to hiredis, which performs it again. The estimated impact and real-world incidents are not specified.

Recommendations For mod auth openidc versions prior to 2.4.9, update to version 2.4.9 to resolve the issue. As a temporary workaround, consider setting OIDCCacheEncrypt to on to mitigate the vulnerability, as cache keys are cryptographically hashed before use when this option is enabled.

Fix

DoS

Use of Externally-Controlled Format String

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-134

Related Identifiers

AZL-6479

BDU:2021-05111

CVE-2021-32785

DLA-3409-1

GHSA-55R8-6W97-XXR4

MGASA-2021-0452

OPENSUSE-SU-2021:1277-1

OPENSUSE-SU-2021:3020-1

OPENSUSE-SU-2021_1277-1

OPENSUSE-SU-2021_3020-1

OPENSUSE-SU-2024:10624-1

SUSE-SU-2021:3020-1

SUSE-SU-2021:3352-1

SUSE-SU-2021_3020-1

SUSE-SU-2021_3352-1

SUSE-SU-2025:4532-1

Affected Products

Apache

Redis

Suse

Hiredis

Mod Auth Openidc

PT-2021-4478 · Hiredis+4 · Hiredis+4

CVE-2021-32785

Weakness Enumeration

Related Identifiers

Affected Products

References · 55