Homepage
About Snyk

Resource Exhaustion Affecting zmartzone/mod_auth_openidc package, versions [,2.4.15.2)

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Proof of concept
    EPSS
    0.05% (21st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-UNMANAGED-ZMARTZONEMODAUTHOPENIDC-7573296
  • published 30 Jul 2024
  • disclosed 13 Feb 2024
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 13 Feb 2024

CVE-2024-24814 Open this link in a new tab
CWE-400 Open this link in a new tab

How to fix?

Upgrade zmartzone/mod_auth_openidc to version 2.4.15.2 or higher.

Overview

Affected versions of this package are vulnerable to Resource Exhaustion due to missing input validation in the mod_auth_openidc_session_chunks cookie value. An attacker can cause the application or system to slow down or crash by crafting a request that leads to unhandled errors.

Note: Proof of concept:

  1. Open the application URL in the browser

  2. Sign in using correct credentials

  3. While using the application in signed in mode, open chrome dev tools and modify content of cookie mod_auth_openidc_session_chunks and set it to 99999999 and refresh the page

  4. Apache + mod_auth_openidc will take some time, then return a 500

References

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
7.5 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    None
  • Integrity (I)
    None
  • Availability (A)
    High
Expand this section

NVD

7.5 high
Expand this section

SUSE

7.5 high
Expand this section

Red Hat

7.5 high