Openidc CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH Openidc CVE published 2017-03-02

CVE-2017-6413

CVE-2017-6413 is a high-severity authentication bypass in the Apache HTTP Server module mod_auth_openidc. In configurations using AuthType oauth20, versions before 2.1.6 did not skip client-supplied OIDC_CLAIM_ and OIDCAuthNHeader headers, allowing remote attackers to craft HTTP traffic that bypasses authentication. The vulnerable range identified by NVD extends through 2.1.5, and the vendor release 2.1.6 [truncated]

HIGH Openidc CVE published 2017-03-02

CVE-2017-6062

CVE-2017-6062 is a high-severity authentication bypass in mod_auth_openidc for Apache HTTP Server. In affected versions before 2.1.5, the module does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers when OIDCUnAuthAction pass is configured, which can allow remote attackers to bypass authentication through crafted HTTP traffic.