CVE-2019-3878

HIGH

mod_auth_mellon <0.14.2 - Auth Bypass

Title source: llm

Description

A vulnerability was found in mod_auth_mellon before v0.14.2. If Apache is configured as a reverse proxy and mod_auth_mellon is configured to only let through authenticated users (with the require valid-user directive), adding special HTTP headers that are normally used to start the special SAML ECP (non-browser based) can be used to bypass authentication.

References (9)

[Issue Tracking, Patch, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3878

[Exploit, Patch, Third Party Advisory] https://github.com/Uninett/mod_auth_mellon/pull/196

[Third Party Advisory] https://usn.ubuntu.com/3924-1/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CNW5YMC5TLWVWNJEY6AIWNSNPRAMWPQJ/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X7NLAU7KROWNTHAYSA2S67X347F42L2I/

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:0746

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:0766

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2019:0985

[Vendor Advisory] https://access.redhat.com/errata/RHBA-2019:0959

Scores

CVSS v3 8.1

EPSS 0.0201

EPSS Percentile 83.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Details

CWE

CWE-305 CWE-287

Status published

Products (12)

canonical/ubuntu_linux 18.04

canonical/ubuntu_linux 18.10

fedoraproject/fedora 29

fedoraproject/fedora 30

mod_auth_mellon_project/mod_auth_mellon < 0.14.2

redhat/enterprise_linux 7.0

redhat/enterprise_linux_desktop 7.0

redhat/enterprise_linux_server 7.0

redhat/enterprise_linux_server_aus 7.6

redhat/enterprise_linux_server_eus 7.6

... and 2 more

Published Mar 26, 2019

Tracked Since Feb 18, 2026