Open Redirect Affecting cjose-devel package, versions <0:0.6.1-4.module+el8.9.0+90009+6a7196cf


Severity

Recommended
0.0
medium
0
10

Based on Oracle Linux security rating.

Threat Intelligence

EPSS
0.1% (44th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Open Redirect vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-ORACLE8-CJOSEDEVEL-6082861
  • published23 Nov 2023
  • disclosed14 Dec 2022

Introduced: 14 Dec 2022

CVE-2022-23527  (opens in a new tab)
CWE-601  (opens in a new tab)

How to fix?

Upgrade Oracle:8 cjose-devel to version 0:0.6.1-4.module+el8.9.0+90009+6a7196cf or higher.
This issue was patched in ELSA-2023-6940.

NVD Description

Note: Versions mentioned in the description apply only to the upstream cjose-devel package and not the cjose-devel package as distributed by Oracle. See How to fix? for Oracle:8 relevant fixed versions and status.

mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Versions prior to 2.4.12.2 are vulnerable to Open Redirect. When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url() does not properly check for URLs that start with /\t, leading to an open redirect. This issue has been patched in version 2.4.12.2. Users unable to upgrade can mitigate the issue by configuring mod_auth_openidc to only allow redirection when the destination matches a given regular expression with OIDCRedirectURLsAllowed.

CVSS Scores

version 3.1