Home

CVE-2019-13038

Description

mod_auth_mellon through 0.14.2 has an Open Redirect via the loginReturnTo= substring, as demonstrated by omitting the // after http: in the target URL.

Risk Information

Base Score
6.1
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score
Exploitation Probability
0.116

Associated Vulnerability

VulnerabilityOS Platform
SAML 2.0 authentication module for Apache (USN-4291-1) libapache2-mod-auth-mellon_0.13.1-1ubuntu0.2_i386.debLinux
SAML 2.0 authentication module for Apache (USN-4291-1) libapache2-mod-auth-mellon_0.13.1-1ubuntu0.2_amd64.debLinux
SAML 2.0 authentication module for Apache (USN-4291-1) libapache2-mod-auth-mellon_0.14.2-1ubuntu1.19.10.1_i386.debLinux
SAML 2.0 authentication module for Apache (USN-4291-1) libapache2-mod-auth-mellon_0.14.2-1ubuntu1.19.10.1_amd64.debLinux
(RHSA-2020:1003) mod_auth_mellon security and bug fix update mod_auth_mellon-0.14.0-8.el7.x86_64.rpmLinux
(RHSA-2020:1003) mod_auth_mellon security and bug fix update mod_auth_mellon-diagnostics-0.14.0-8.el7.x86_64.rpmLinux
(RHSA-2020:1660) mod_auth_mellon security and bug fix update mod_auth_mellon-0.14.0-11.el8.x86_64.rpmLinux
(RHSA-2020:1660) mod_auth_mellon security and bug fix update mod_auth_mellon-debugsource-0.14.0-11.el8.x86_64.rpmLinux
(RHSA-2020:1660) mod_auth_mellon security and bug fix update mod_auth_mellon-diagnostics-0.14.0-11.el8.x86_64.rpmLinux
(CESA-2020:1660) mod_auth_mellon security and bug fix update mod_auth_mellon-0.14.0-11.el8.x86_64.rpmLinux
(CESA-2020:1660) mod_auth_mellon security and bug fix update mod_auth_mellon-diagnostics-0.14.0-11.el8.x86_64.rpmLinux
(CESA-2020:1003) mod_auth_mellon security and bug fix update mod_auth_mellon-0.14.0-8.el7.x86_64.rpmLinux
(CESA-2020:1003) mod_auth_mellon security and bug fix update mod_auth_mellon-diagnostics-0.14.0-8.el7.x86_64.rpmLinux
(RHSA-2020:1003)Moderate: security and bug fix update mod_auth_mellon-debuginfo-0.14.0-8.el7.x86_64.rpmLinux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234