Mod Auth Openidc
CVE-2017-6413
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "AuthType oauth20" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic.
AnalysisAI
The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.
Technical ContextAI
This vulnerability is classified as Improper Authentication (CWE-287), which allows attackers to bypass authentication mechanisms to gain unauthorized access. The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "AuthType oauth20" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic. Affected products include: Openidc Mod Auth Openidc. Version information: before 2.1.6.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Implement multi-factor authentication, enforce strong password policies, use proven authentication frameworks.
More in Mod Auth Openidc
View allmod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server that imp
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Co
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Co
The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.5 for the Apac
Mod_auth_openidc.c in the Ping Identity OpenID Connect authentication module for Apache (aka mod_auth_openidc) before 2.
mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Co
mod_auth_openidc 2.4.0 to 2.4.7 allows a remote attacker to cause a denial-of-service (DoS) condition via unspecified ve
mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Rated m
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Co
A flaw was found in mod_auth_openidc before version 2.4.0.1. Rated medium severity (CVSS 6.1), this vulnerability is rem
ZmartZone IAM mod_auth_openidc 2.3.10.1 and earlier is affected by: Cross Site Scripting (XSS). Rated medium severity (C
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today