CVE-2019-3878

HIGH

mod_auth_mellon <0.14.2 - Auth Bypass

Title source: llm
STIX 2.1

Description

A vulnerability was found in mod_auth_mellon before v0.14.2. If Apache is configured as a reverse proxy and mod_auth_mellon is configured to only let through authenticated users (with the require valid-user directive), adding special HTTP headers that are normally used to start the special SAML ECP (non-browser based) can be used to bypass authentication.

References (9)

Core 9
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3878
Exploit, Patch, Third Party Advisory x_refsource_confirm
https://github.com/Uninett/mod_auth_mellon/pull/196
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3924-1/
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:0746
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:0766
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:0985
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHBA-2019:0959

Scores

CVSS v3 8.1
EPSS 0.0297
EPSS Percentile 85.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Details

CWE
CWE-305 CWE-287
Status published
Products (12)
canonical/ubuntu_linux 18.04
canonical/ubuntu_linux 18.10
fedoraproject/fedora 29
fedoraproject/fedora 30
mod_auth_mellon_project/mod_auth_mellon < 0.14.2
redhat/enterprise_linux 7.0
redhat/enterprise_linux_desktop 7.0
redhat/enterprise_linux_server 7.0
redhat/enterprise_linux_server_aus 7.6
redhat/enterprise_linux_server_eus 7.6
... and 2 more
Published Mar 26, 2019
Tracked Since Feb 18, 2026