A vulnerability was found in mod_auth_openidc before version 2.4.1. An open redirect issue exists in URLs with a slash and backslash at the beginning. Reference: https://github.com/zmartzone/mod_auth_openidc/commit/02431c0adfa30f478cf2eb20ed6ea51fdf446be7 https://github.com/zmartzone/mod_auth_openidc/pull/453
Created mod_auth_openidc tracking bugs for this issue: Affects: fedora-all [bug 1805104]
Statement: It is not possible to reproduce the open redirect vulnerability in the versions of mod_auth_openidc as shipped in Red Hat Enterprise Linux 7, as a missing check makes the process crash, due to a NULL pointer dereference, instead of letting it continue with an invalid URL.
The version of mod_auth_openidc as shipped with Red Hat Enterprise Linux 7 does not contain the patched code, however due to a missing check, this issue does not manifest as an Open Redirect flaw, but it triggers a NULL pointer dereference while parsing the logout URL. For this reason, the only impact on RHEL 7 is to Availability, because the httpd process would die, even though others can take other requests.
This flaw is similar to CVE-2019-14857, but it is about a new way to bypass the security checks. This one involves URLs beginning with `/\`, while CVE-2019-14857 is about URLs beginning with `///`.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:3032 https://access.redhat.com/errata/RHSA-2020:3032
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-20479
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:3970 https://access.redhat.com/errata/RHSA-2020:3970