github - ghsa-6gx9-985p-w8c8

ghsa-6gx9-985p-w8c8

Vulnerability from github

Published

2022-05-14 01:05

Modified

2022-05-14 01:05

Severity

8.1 (High) - CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

A vulnerability was found in mod_auth_mellon before v0.14.2. If Apache is configured as a reverse proxy and mod_auth_mellon is configured to only let through authenticated users (with the require valid-user directive), adding special HTTP headers that are normally used to start the special SAML ECP (non-browser based) can be used to bypass authentication.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2019-3878"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-26T18:29:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability was found in mod_auth_mellon before v0.14.2. If Apache is configured as a reverse proxy and mod_auth_mellon is configured to only let through authenticated users (with the require valid-user directive), adding special HTTP headers that are normally used to start the special SAML ECP (non-browser based) can be used to bypass authentication.",
  "id": "GHSA-6gx9-985p-w8c8",
  "modified": "2022-05-14T01:05:27Z",
  "published": "2022-05-14T01:05:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3878"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Uninett/mod_auth_mellon/pull/196"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHBA-2019:0959"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:0746"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:0766"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:0985"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3878"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CNW5YMC5TLWVWNJEY6AIWNSNPRAMWPQJ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X7NLAU7KROWNTHAYSA2S67X347F42L2I"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3924-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

cve-2019-3878

Vulnerability from cvelistv5

Published

2019-03-26 17:44

Modified

2024-08-04 19:19

Severity

8.1 (High) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Summary

References

URL	Tags
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3878	x_refsource_CONFIRM
https://github.com/Uninett/mod_auth_mellon/pull/196	x_refsource_CONFIRM
https://usn.ubuntu.com/3924-1/	vendor-advisory, x_refsource_UBUNTU
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CNW5YMC5TLWVWNJEY6AIWNSNPRAMWPQJ/	vendor-advisory, x_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X7NLAU7KROWNTHAYSA2S67X347F42L2I/	vendor-advisory, x_refsource_FEDORA
https://access.redhat.com/errata/RHSA-2019:0746	vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:0766	vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:0985	vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHBA-2019:0959	vendor-advisory, x_refsource_REDHAT

Impacted products

Vendor	Product
uninett	mod_auth_mellon

Show details on NVD website