Bug 1691125 (CVE-2019-3877)

Summary: CVE-2019-3877 mod_auth_mellon: open redirect in logout url when using URLs with backslashes
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: hhorak, jdennis, jhrozek, jorton, luhliari, psampaio, security-response-team, spoore, ssorce
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mod_auth_mellon 0.14.2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:51:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1691771, 1692470, 1692471, 1692472, 1697488    
Bug Blocks: 1691129    

Description Laura Pardo 2019-03-20 22:59:00 UTC 
A vulnerability was found in mod_auth_mellon. An open redirect in the logout URL allows requests with backslashes to pass through by assuming that it is a relative URL, while the browsers silently convert backslash characters into forward slashes using treating them as an absolute URL. This mismatch allows an attacker to bypass the redirect URL validation logic in apr_uri_parse function.
Comment 1 Laura Pardo 2019-03-21 17:29:46 UTC 
Upstream issue:
https://github.com/Uninett/mod_auth_mellon/issues/35
Comment 2 Laura Pardo 2019-03-21 17:33:33 UTC 
Upstream Patch:
https://github.com/Uninett/mod_auth_mellon/commit/62041428a32de402e0be6ba45fe12df6a83bedb8
Comment 3 Pedro Sampaio 2019-03-22 13:27:27 UTC 
Created mod_auth_mellon tracking bugs for this issue:

Affects: fedora-all [bug 1691771]
Comment 6 errata-xmlrpc 2019-04-16 14:40:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0766 https://access.redhat.com/errata/RHSA-2019:0766
Comment 10 errata-xmlrpc 2019-11-05 20:48:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3421 https://access.redhat.com/errata/RHSA-2019:3421