Skip to main content

Mod Auth Openidc CVE-2021-32791

MEDIUM
Reusing a Nonce, Key Pair in Encryption (CWE-323)
2021-07-26 security-advisories@github.com
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Jul 26, 2021 - 17:15 nvd
MEDIUM 5.9

DescriptionNVD

mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, the AES GCM encryption in mod_auth_openidc uses a static IV and AAD. It is important to fix because this creates a static nonce and since aes-gcm is a stream cipher, this can lead to known cryptographic issues, since the same key is being reused. From 2.4.9 onwards this has been patched to use dynamic values through usage of cjose AES encryption routines.

AnalysisAI

mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Technical ContextAI

This vulnerability is classified under CWE-323. mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, the AES GCM encryption in mod_auth_openidc uses a static IV and AAD. It is important to fix because this creates a static nonce and since aes-gcm is a stream cipher, this can lead to known cryptographic issues, since the same key is being reused. From 2.4.9 onwards this has been patched to use dynamic values through usage of cjose AES encryption routines. Affected products include: Openidc Mod Auth Openidc, Fedoraproject Fedora. Version information: version 2.4.9.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2024-24814 HIGH POC
7.5 Feb 13

mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server that imp

CVE-2021-39191 MEDIUM POC
6.1 Sep 03

mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Co

CVE-2021-32786 MEDIUM POC
6.1 Jul 22

mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Co

CVE-2017-6062 HIGH
8.6 Mar 02

The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.5 for the Apac

CVE-2017-6413 HIGH
8.6 Mar 02

The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.6 for the Apac

CVE-2017-6059 HIGH
7.5 Apr 12

Mod_auth_openidc.c in the Ping Identity OpenID Connect authentication module for Apache (aka mod_auth_openidc) before 2.

CVE-2023-28625 HIGH
7.5 Apr 03

mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID

CVE-2021-32785 HIGH
7.5 Jul 22

mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Co

CVE-2021-20718 HIGH
7.5 May 20

mod_auth_openidc 2.4.0 to 2.4.7 allows a remote attacker to cause a denial-of-service (DoS) condition via unspecified ve

CVE-2022-23527 MEDIUM
6.1 Dec 14

mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Rated m

CVE-2021-32792 MEDIUM
6.1 Jul 26

mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Co

CVE-2019-14857 MEDIUM
6.1 Nov 26

A flaw was found in mod_auth_openidc before version 2.4.0.1. Rated medium severity (CVSS 6.1), this vulnerability is rem

Share

CVE-2021-32791 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy