A vulnerability was found in mod_auth_mellon where it does not sanatize logout URLs properly results in phishing attacks by tricking users.
The vulnerability is in auth_mellon_util.c:am_check_url() function, where there are not enough checks to ensure the redirect URL is fine. An attacker may provide a logout URL, starting with "///", of an application that uses mod_auth_mellon to a victim user, so that he is redirected to another site. The user may pay less attention to the URL as the application that uses mod_auth_mellon may be trusted.
Upstream patch: https://github.com/latchset/mod_auth_mellon/commit/42a11261b9dad2e48d70bdff7c53dd57a12db6f5
Created mod_auth_mellon tracking bugs for this issue: Affects: fedora-all [bug 1988235]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1934 https://access.redhat.com/errata/RHSA-2022:1934
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3639