The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "AuthType oauth20" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic. External References: https://github.com/pingidentity/mod_auth_openidc/releases/tag/v2.1.6 Upstream patch: https://github.com/pingidentity/mod_auth_openidc/commit/21e3728a825c41ab41efa75e664108051bb9665e
Created mod_auth_openidc tracking bugs for this issue: Affects: fedora-all [bug 1425356]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2112 https://access.redhat.com/errata/RHSA-2019:2112