mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 220.127.116.11, the 3rd-party init SSO functionality of mod_auth_openidc was reported to be vulnerable to an open redirect attack by supplying a crafted URL in the `target_link_uri` parameter. A patch in version 18.104.22.168 made it so that the `OIDCRedirectURLsAllowed` setting must be applied to the `target_link_uri` parameter. There are no known workarounds aside from upgrading to a patched version.
Created mod_auth_openidc tracking bugs for this issue:
Affects: fedora-all [bug 2001647]
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2022:1823 https://access.redhat.com/errata/RHSA-2022:1823
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):