PatchSiren cyber security CVE debrief

CVE-2017-6413 Openidc CVE debrief

CVE-2017-6413 is a high-severity authentication bypass in the Apache HTTP Server module mod_auth_openidc. In configurations using AuthType oauth20, versions before 2.1.6 did not skip client-supplied OIDC_CLAIM_ and OIDCAuthNHeader headers, allowing remote attackers to craft HTTP traffic that bypasses authentication. The vulnerable range identified by NVD extends through 2.1.5, and the vendor release 2.1.6 is the relevant fixed version.

Vendor: Openidc
Product: CVE-2017-6413
CVSS: HIGH 8.6
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-03-02
Original CVE updated: 2026-05-13
Advisory published: 2017-03-02
Advisory updated: 2026-05-13

Who should care

Apache HTTP Server operators and application owners using mod_auth_openidc, especially any internet-facing deployment configured with AuthType oauth20. Security teams should also review distro-packaged builds and downstream backports referenced by vendor and package advisories.

Technical summary

The issue is an authentication control weakness (CWE-287) in mod_auth_openidc before 2.1.6. In AuthType oauth20 mode, the module fails to ignore two header families that should not be trusted from the client: OIDC_CLAIM_ and OIDCAuthNHeader. Because those headers are accepted in a way that can affect authentication handling, a remote attacker can send crafted HTTP requests and bypass the intended authentication checks. NVD rates this as network-exploitable with no privileges or user interaction required, and the CVSS vector reflects a high integrity impact.

Defensive priority

Urgent for any exposed or unpatched deployment. Treat as high priority if mod_auth_openidc is present anywhere in the request path and especially if the affected configuration is reachable from untrusted networks.

Recommended defensive actions

Upgrade mod_auth_openidc to version 2.1.6 or later, or apply the vendor/distro backport that includes the fix.
Audit Apache configurations for AuthType oauth20 usage and identify any services relying on mod_auth_openidc.
Review edge and proxy rules to ensure client-supplied OIDC_CLAIM_ and OIDCAuthNHeader headers are not trusted or forwarded into the authentication flow.
Verify packaged installations against vendor or distribution advisories, including downstream updates referenced by Red Hat and Fedora package announcements.
Confirm remediation by testing that authenticated access is still required and that the affected header names do not influence authorization decisions.

Evidence notes

The vulnerability description, CVSS vector, affected-version boundary, and weakness classification come from the supplied NVD record. The fixed version is supported by the linked mod_auth_openidc v2.1.6 release and commit references. Red Hat and Fedora advisories in the source corpus indicate downstream packaging/remediation coverage.

Official resources

CVE-2017-6413 CVE record
CVE.org
CVE-2017-6413 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Patch, Release Notes, Third Party Advisory
Source reference
[email protected]
Source reference
[email protected]

CVE published on 2017-03-02; the supplied NVD record was last modified on 2026-05-13. No KEV listing is present in the supplied enrichment.