CVE-2017-6062 Openidc CVE debrief

Who should care

Organizations running Apache HTTP Server with mod_auth_openidc, especially deployments using OIDCUnAuthAction pass. Web platform owners, identity and access management teams, and operators responsible for reverse proxies or authenticated web apps should treat this as a priority because the issue affects authentication enforcement directly.

Technical summary

NVD records this as CVE-2017-6062 with CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N and CWE-287. The vulnerable condition is limited to mod_auth_openidc versions through 2.1.4. The module fails to ignore OIDC_CLAIM_ and OIDCAuthNHeader headers in the OIDCUnAuthAction pass configuration, creating a path for remote authentication bypass.

Defensive priority

High. The issue is network-reachable, requires no privileges or user interaction, and affects authentication integrity. Systems exposing the affected configuration should be patched promptly and reviewed for compensating controls.

Recommended defensive actions

• Upgrade mod_auth_openidc to version 2.1.5 or later.
• Review Apache HTTP Server configurations that use OIDCUnAuthAction pass and validate that the affected headers are not accepted in a way that weakens authentication.
• Audit deployments for any reliance on pre-2.1.5 behavior and test authentication flows after upgrading.
• Monitor related vendor notes, changelog entries, and downstream package advisories for the exact fixed package versions in your distribution.

Evidence notes

This debrief is based on the official NVD record and the linked project references. NVD describes the affected range as versions through 2.1.4 and lists the impact as authentication bypass with CWE-287. The project changelog, issue tracker entry, and v2.1.5 release notes are the supplied vendor-linked references indicating the fix and release context. No exploit steps are included here.

Official resources