CVE-2017-6059 : Mod_auth_openidc.c in the Ping Identity OpenID Connect authentication module for

Mod_auth_openidc.c in the Ping Identity OpenID Connect authentication module for Apache (aka mod_auth_openidc) before 2.14 allows remote attackers to spoof page content via a malicious URL provided to the user, which triggers an invalid request.

Published 2017-04-12 20:59:01

Updated 2023-05-25 20:18:47

Source MITRE

View at NVD, CVE.org

Vulnerability category: Input validation

Products affected by CVE-2017-6059

Openidc » Mod Auth Openidc
Versions before (<) 2.1.4
cpe:2.3:a:openidc:mod_auth_openidc:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2017-6059

EPSS FAQ

2.01%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 82 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2017-6059

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:P/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2017-6059

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2017-6059

http://www.openwall.com/lists/oss-security/2017/02/17/6

oss-security - OpenID Connect authentication module for Apache: CVE-2017-6059 CVE-2017-6062
Mailing List;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTWUMQ46GZY3O4WU4JCF333LN53R2XQH/

[SECURITY] Fedora 31 Update: mod_auth_openidc-2.4.0.3-1.fc31 - package-announce - Fedora Mailing-Lists
Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EJXBG3DG2FUYFGTUTSJFMPIINVFKKB4Z/

[SECURITY] Fedora 30 Update: mod_auth_openidc-2.4.0.3-1.fc30 - package-announce - Fedora Mailing-Lists
Third Party Advisory

CVEs referencing this url
https://github.com/pingidentity/mod_auth_openidc/commit/612e309bfffd6f9b8ad7cdccda3019fc0865f3b4

don't echo query params on invalid requests to redirect URI; closes #212 · zmartzone/mod_auth_openidc@612e309 · GitHub
Patch;Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2112

RHSA-2019:2112 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://github.com/pingidentity/mod_auth_openidc/releases/tag/v2.1.4

Release release 2.1.4 · zmartzone/mod_auth_openidc · GitHub
Patch;Release Notes;Third Party Advisory
https://github.com/pingidentity/mod_auth_openidc/issues/212

Don't show user-supplied content in error pages · Issue #212 · zmartzone/mod_auth_openidc · GitHub
Issue Tracking;Patch;Third Party Advisory
http://www.securityfocus.com/bid/96299

Ping Identity 'mod_auth_openidc' Module CVE-2017-6059 Content Spoofing Vulnerability
Third Party Advisory;VDB Entry
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2V3HIGXMUKJGOBMAQAQPGC7G5YYWSUVA/

[SECURITY] Fedora 29 Update: mod_auth_openidc-2.4.0.3-1.fc29 - package-announce - Fedora Mailing-Lists
Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2017-6059

Products affected by CVE-2017-6059

Exploit prediction scoring system (EPSS) score for CVE-2017-6059

CVSS scores for CVE-2017-6059

CWE ids for CVE-2017-6059

References for CVE-2017-6059