A vulnerability was found in mod_auth_openidc before version 2.4.1. An open redirect issue exists in URLs with a slash and backslash at the beginning.
Created mod_auth_openidc tracking bugs for this issue:
Affects: fedora-all [bug 1805104]
It is not possible to reproduce the open redirect vulnerability in the versions of mod_auth_openidc as shipped in Red Hat Enterprise Linux 7, as a missing check makes the process crash, due to a NULL pointer dereference, instead of letting it continue with an invalid URL.
The version of mod_auth_openidc as shipped with Red Hat Enterprise Linux 7 does not contain the patched code, however due to a missing check, this issue does not manifest as an Open Redirect flaw, but it triggers a NULL pointer dereference while parsing the logout URL. For this reason, the only impact on RHEL 7 is to Availability, because the httpd process would die, even though others can take other requests.
This flaw is similar to CVE-2019-14857, but it is about a new way to bypass the security checks. This one involves URLs beginning with `/\`, while CVE-2019-14857 is about URLs beginning with `///`.