The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "AuthType oauth20" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic.
References
Configurations
History
07 Nov 2023, 02:49
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
25 May 2023, 20:18
Type | Values Removed | Values Added |
---|---|---|
First Time |
Openidc mod Auth Openidc
Openidc |
|
CPE | cpe:2.3:a:openidc:mod_auth_openidc:*:*:*:*:*:*:*:* |
Information
Published : 2017-03-02 06:59
Updated : 2023-12-10 12:01
NVD link : CVE-2017-6413
Mitre link : CVE-2017-6413
CVE.ORG link : CVE-2017-6413
JSON object : View
Products Affected
openidc
- mod_auth_openidc
CWE
CWE-287
Improper Authentication