1691125 – (CVE-2019-3877) CVE-2019-3877 mod_auth_mellon: open redirect in logout url when using URLs with backslashes

Bug 1691125 (CVE-2019-3877) - CVE-2019-3877 mod_auth_mellon: open redirect in logout url when using URLs with backslashes

Summary: CVE-2019-3877 mod_auth_mellon: open redirect in logout url when using URLs wi...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-3877
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1691771 1692470 1692471 1692472 1697488
Blocks:	1691129
TreeView+	depends on / blocked

Reported:	2019-03-20 22:59 UTC by Laura Pardo
Modified:	2021-07-27 09:33 UTC (History)
CC List:	9 users (show)
Fixed In Version:	mod_auth_mellon 0.14.2
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-06-10 10:51:32 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2019:0766	0	None	None	None	2019-04-16 14:40:25 UTC
Red Hat Product Errata	RHSA-2019:3421	0	None	None	None	2019-11-05 20:48:48 UTC

Description Laura Pardo 2019-03-20 22:59:00 UTC

A vulnerability was found in mod_auth_mellon. An open redirect in the logout URL allows requests with backslashes to pass through by assuming that it is a relative URL, while the browsers silently convert backslash characters into forward slashes using treating them as an absolute URL. This mismatch allows an attacker to bypass the redirect URL validation logic in apr_uri_parse function.

Comment 1 Laura Pardo 2019-03-21 17:29:46 UTC

Upstream issue:
https://github.com/Uninett/mod_auth_mellon/issues/35

Comment 2 Laura Pardo 2019-03-21 17:33:33 UTC

Upstream Patch:
https://github.com/Uninett/mod_auth_mellon/commit/62041428a32de402e0be6ba45fe12df6a83bedb8

Comment 3 Pedro Sampaio 2019-03-22 13:27:27 UTC

Created mod_auth_mellon tracking bugs for this issue:

Affects: fedora-all [bug 1691771]

Comment 6 errata-xmlrpc 2019-04-16 14:40:24 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0766 https://access.redhat.com/errata/RHSA-2019:0766

Comment 10 errata-xmlrpc 2019-11-05 20:48:47 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3421 https://access.redhat.com/errata/RHSA-2019:3421

Note You need to log in before you can comment on or make changes to this bug.