Open Redirect Affecting cjose-devel package, versions <0:0.6.1-2.module+el8+5139+bcb28322


Severity

Recommended
0.0
medium
0
10

Based on Oracle Linux security rating.

Threat Intelligence

EPSS
0.14% (50th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Open Redirect vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-ORACLE8-CJOSEDEVEL-2832713
  • published18 May 2022
  • disclosed22 Jul 2021

Introduced: 22 Jul 2021

CVE-2021-32786  (opens in a new tab)
CWE-601  (opens in a new tab)

How to fix?

Upgrade Oracle:8 cjose-devel to version 0:0.6.1-2.module+el8+5139+bcb28322 or higher.
This issue was patched in ELSA-2022-1823.

NVD Description

Note: Versions mentioned in the description apply only to the upstream cjose-devel package and not the cjose-devel package as distributed by Oracle. See How to fix? for Oracle:8 relevant fixed versions and status.

mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9, oidc_validate_redirect_url() does not parse URLs the same way as most browsers do. As a result, this function can be bypassed and leads to an Open Redirect vulnerability in the logout functionality. This bug has been fixed in version 2.4.9 by replacing any backslash of the URL to redirect with slashes to address a particular breaking change between the different specifications (RFC2396 / RFC3986 and WHATWG). As a workaround, this vulnerability can be mitigated by configuring mod_auth_openidc to only allow redirection whose destination matches a given regular expression.

CVSS Scores

version 3.1