It was found that when OIDCUnAuthAction is set to pass the OICD_CLAIM_* headers are not being scrubbed. This allows for unauthenticated requests to /content/. Sending the OIDC_CLAIM_preferred_username header then allows to spoof any existing username. Upstream bug: https://github.com/pingidentity/mod_auth_openidc/issues/222 Upstream patch: https://github.com/pingidentity/mod_auth_openidc/commit/e81822a7d5f5bdf04ba03ca92680821893303850
Created mod_auth_openidc tracking bugs for this issue: Affects: fedora-all [bug 1425356]
At least as far as RHEL-7 goes, this CVE does not apply because the OIDCUnAuthAction doesn't work because of a mismatch of what the version of the module we ship sets as the REMOTE_USER and what httpd expects a valid value of REMOTE_USER should be. For more details, please see https://bugzilla.redhat.com/show_bug.cgi?id=1626298#c2 and https://bugzilla.redhat.com/show_bug.cgi?id=1626298#c3. Therefore I'm going to close the RHEL-7 tracker as WONTFIX.