PT-2024-2685 · Unknown+6 · Mod Auth Openidc+6

Zandbelt

·

Published

2024-02-07

·

Updated

2025-12-29

·

CVE-2024-24814

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions mod auth openidc versions prior to 2.4.15.2
Description The issue is related to a denial of service (DoS) attack due to missing input validation on the mod auth openidc session chunks cookie value. This allows an attacker to craft requests that can make the server unresponsive or crash with minimal effort. By manipulating the mod auth openidc session chunks cookie value to a very large integer, the server struggles with the request and finally returns a 500 error. Making a few such requests can cause the server to become unresponsive.
Recommendations For versions prior to 2.4.15.2, upgrade to version 2.4.15.2 to address the issue. As a temporary workaround, consider restricting access to the mod auth openidc session chunks cookie to minimize the risk of exploitation. Avoid using large integer values for the mod auth openidc session chunks cookie until the issue is resolved.

Exploit

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

ALSA-2024:5289
ALSA-2024:9180
ALSA-2024_5289
ALSA-2024_9180
AZL-42520
AZL-42537
BDU:2024-02794
CESA-2024_5289
CVE-2024-24814
DLA-3751-1
GHSA-HXR6-W4GC-7VVV
INFSA-2024_5289
INFSA-2024_9180
MGASA-2024-0081
OESA-2024-1191
OESA-2024-1192
OESA-2024-1193
OESA-2024-1194
OPENSUSE-SU-2024:13699-1
OPENSUSE-SU-2024_2299-1
RHSA-2024:5289
RHSA-2024:9180
RHSA-2024_5289
RHSA-2024_9180
RLSA-2024:9180
SUSE-SU-2024:0757-1
SUSE-SU-2024:0758-1
SUSE-SU-2024:2299-1
SUSE-SU-2024_0757-1
SUSE-SU-2024_0758-1
SUSE-SU-2024_2299-1
SUSE-SU-2025:4532-1

Affected Products

Almalinux
Centos
Red Hat
Red Os
Rocky Linux
Suse
Mod Auth Openidc