CVE-2019-14857

Public on 2019-11-26

Modified on 2020-11-16

Description

An open redirect flaw was discovered in mod_auth_openidc, where it handles logout redirection. The module does not correctly validate the URL, allowing a URL with leading slashes to bypass the protection checks. A victim user may be tricked into visiting a trusted vulnerable web site, which would redirect them to another possibly malicious URL.

Severity

Medium

See what this means

CVSS v3 Base Score

6.1

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory
Amazon Linux 1	mod24_auth_openidc	2020-11-14 01:23	ALAS-2020-1448
Amazon Linux 2 - Core	mod_auth_openidc	2020-10-22 18:29	ALAS2-2020-1538

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
NVD	CVSSv2	5.8	AV:N/AC:M/Au:N/C:P/I:P/A:N
NVD	CVSSv3	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

Red Hat: CVE-2019-14857 Mitre: CVE-2019-14857 FAQs regarding Amazon Linux ALAS/CVE Severity