Bypassing Authentication in mod_auth_openidc

Bypassing Authentication in mod_auth_openidc

CVE-2017-6062 · MEDIUM Severity

AV:N/AC:L/AU:N/C:N/I:P/A:N

The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.5 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "OIDCUnAuthAction pass" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic.

Learn more about our Cis Benchmark Audit For Apache Http Server.