CVE-2023-28625

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions mod auth openidc versions 2.0.0 through 2.4.13.1

Description The issue is related to the mod auth openidc module for the Apache 2.x HTTP server, which implements OpenID Connect Relying Party functionality. When OIDCStripCookies is set and a crafted cookie is supplied, a NULL pointer dereference occurs, resulting in a segmentation fault. This can be used in a Denial-of-Service attack, presenting an availability risk.

Recommendations For mod auth openidc versions 2.0.0 through 2.4.13.1, update to version 2.4.13.2 to resolve the issue. As a temporary workaround, avoid using OIDCStripCookies to minimize the risk of exploitation.

Exploit

Fix

DoS

NULL Pointer Dereference

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-476

Related Identifiers

ALSA-2023:6365

ALSA-2023:6940

ALT-PU-2023-8441

AZL-26772

BDU:2024-06538

CESA-2023_6940

CVE-2023-28625

DLA-3409-1

DSA-5405-1

GHSA-F5XW-RVFR-24QR

OESA-2023-1235

OESA-2023-1236

RHSA-2023:6365

RHSA-2023:6940

RHSA-2023_6365

RHSA-2023_6940

SUSE-SU-2023:1837-1

SUSE-SU-2023:1849-1

SUSE-SU-2023_1849-1

SUSE-SU-2025:4532-1

Affected Products

Alt Linux

Almalinux

Apache Http Server

Centos

Red Hat

Red Os

Suse

CVE-2023-28625

Weakness Enumeration

Related Identifiers

Affected Products

References · 65