CVE-2017-6062
HIGHmod_auth_openidc < 2.1.5 - Authentication Bypass via OIDC_CLAIM_ and OIDCAuthNHeader Headers
Title source: llmDescription
The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.5 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "OIDCUnAuthAction pass" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic.
References (6)
Core 6
Core References
Patch, Release Notes, Third Party Advisory x_refsource_confirm
https://github.com/pingidentity/mod_auth_openidc/releases/tag/v2.1.5
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/pingidentity/mod_auth_openidc/blob/master/ChangeLog
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/pingidentity/mod_auth_openidc/issues/222
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EJXBG3DG2FUYFGTUTSJFMPIINVFKKB4Z/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V3HIGXMUKJGOBMAQAQPGC7G5YYWSUVA/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTWUMQ46GZY3O4WU4JCF333LN53R2XQH/
Scores
CVSS v3
8.6
EPSS
0.0363
EPSS Percentile
88.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Details
CWE
CWE-287
Status
published
Products (1)
openidc/mod_auth_openidc
< 2.1.4
Published
Mar 02, 2017
Tracked Since
Feb 18, 2026