Skip to main content

Mod Auth Openidc CVE-2024-24814

HIGH
Uncontrolled Resource Consumption (CWE-400)
2024-02-13 security-advisories@github.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
CVE Published
Feb 13, 2024 - 19:15 nvd
HIGH 7.5

DescriptionNVD

mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In affected versions missing input validation on mod_auth_openidc_session_chunks cookie value makes the server vulnerable to a denial of service (DoS) attack. An internal security audit has been conducted and the reviewers found that if they manipulated the value of the mod_auth_openidc_session_chunks cookie to a very large integer, like 99999999, the server struggles with the request for a long time and finally gets back with a 500 error. Making a few requests of this kind caused our server to become unresponsive. Attackers can craft requests that would make the server work very hard (and possibly become unresponsive) and/or crash with minimal effort. This issue has been addressed in version 2.4.15.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

AnalysisAI

mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Uncontrolled Resource Consumption (CWE-400), which allows attackers to cause denial of service by exhausting system resources. mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In affected versions missing input validation on mod_auth_openidc_session_chunks cookie value makes the server vulnerable to a denial of service (DoS) attack. An internal security audit has been conducted and the reviewers found that if they manipulated the value of the mod_auth_openidc_session_chunks cookie to a very large integer, like 99999999, the server struggles with the request for a long time and finally gets back with a 500 error. Making a few requests of this kind caused our server to become unresponsive. Attackers can craft requests that would make the server work very hard (and possibly become unresponsive) and/or crash with minimal effort. This issue has been addressed in version 2.4.15.2. Users are advised to upgrade. There are no known workarounds for this vulnerability. Affected products include: Openidc Mod Auth Openidc, Debian Debian Linux, Fedoraproject Fedora. Version information: version 2.4.15.2..

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement rate limiting, set resource quotas, validate input sizes, use timeouts.

CVE-2021-39191 MEDIUM POC
6.1 Sep 03

mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Co

CVE-2021-32786 MEDIUM POC
6.1 Jul 22

mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Co

CVE-2017-6062 HIGH
8.6 Mar 02

The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.5 for the Apac

CVE-2017-6413 HIGH
8.6 Mar 02

The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.6 for the Apac

CVE-2017-6059 HIGH
7.5 Apr 12

Mod_auth_openidc.c in the Ping Identity OpenID Connect authentication module for Apache (aka mod_auth_openidc) before 2.

CVE-2023-28625 HIGH
7.5 Apr 03

mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID

CVE-2021-32785 HIGH
7.5 Jul 22

mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Co

CVE-2021-20718 HIGH
7.5 May 20

mod_auth_openidc 2.4.0 to 2.4.7 allows a remote attacker to cause a denial-of-service (DoS) condition via unspecified ve

CVE-2022-23527 MEDIUM
6.1 Dec 14

mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Rated m

CVE-2021-32792 MEDIUM
6.1 Jul 26

mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Co

CVE-2019-14857 MEDIUM
6.1 Nov 26

A flaw was found in mod_auth_openidc before version 2.4.0.1. Rated medium severity (CVSS 6.1), this vulnerability is rem

CVE-2019-1010247 MEDIUM
6.1 Jul 19

ZmartZone IAM mod_auth_openidc 2.3.10.1 and earlier is affected by: Cross Site Scripting (XSS). Rated medium severity (C

Share

CVE-2024-24814 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy