ID CVE-2019-13038
Summary mod_auth_mellon through 0.14.2 has an Open Redirect via the login?ReturnTo= substring, as demonstrated by omitting the // after http: in the target URL.
References
Vulnerable Configurations
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.4.0:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.4.0:*:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.5.0:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.5.0:*:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.6.0:-:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.6.0:-:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.6.0:rc1:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.6.0:rc1:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.6.1:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.6.1:*:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.7.0:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.7.0:*:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.8.0:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.8.0:*:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.8.1:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.8.1:*:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.9.0:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.9.0:*:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.9.1:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.9.1:*:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.10.0:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.10.0:*:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.11.0:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.11.0:*:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.11.1:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.11.1:*:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.12.0:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.12.0:*:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.13.0:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.13.0:*:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.13.1:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.13.1:*:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.14.0:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.14.0:*:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.14.1:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.14.1:*:*:*:*:apache:*:*
  • cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.14.2:*:*:*:*:apache:*:*
    cpe:2.3:a:mod_auth_mellon_project:mod_auth_mellon:0.14.2:*:*:*:*:apache:*:*
  • cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 13-06-2022 - 18:39)
Impact:
Exploitability:
CWE CWE-601
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:N/I:P/A:N
redhat via4
advisories
  • bugzilla
    id 1727789
    title mod_auth_mellon fix for AJAX header name X-Requested-With
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 7 is installed
        oval oval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • comment mod_auth_mellon is earlier than 0:0.14.0-8.el7
            oval oval:com.redhat.rhsa:tst:20201003001
          • comment mod_auth_mellon is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141803002
        • AND
          • comment mod_auth_mellon-diagnostics is earlier than 0:0.14.0-8.el7
            oval oval:com.redhat.rhsa:tst:20201003003
          • comment mod_auth_mellon-diagnostics is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20190766004
    rhsa
    id RHSA-2020:1003
    released 2020-03-31
    severity Moderate
    title RHSA-2020:1003: mod_auth_mellon security and bug fix update (Moderate)
  • bugzilla
    id 1761774
    title mod_auth_mellon fix for AJAX header name X-Requested-With
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 8 is installed
        oval oval:com.redhat.rhba:tst:20193384074
      • OR
        • AND
          • comment mod_auth_mellon is earlier than 0:0.14.0-11.el8
            oval oval:com.redhat.rhsa:tst:20201660001
          • comment mod_auth_mellon is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141803002
        • AND
          • comment mod_auth_mellon-debugsource is earlier than 0:0.14.0-11.el8
            oval oval:com.redhat.rhsa:tst:20201660003
          • comment mod_auth_mellon-debugsource is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20190985004
        • AND
          • comment mod_auth_mellon-diagnostics is earlier than 0:0.14.0-11.el8
            oval oval:com.redhat.rhsa:tst:20201660005
          • comment mod_auth_mellon-diagnostics is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20190766004
    rhsa
    id RHSA-2020:1660
    released 2020-04-28
    severity Moderate
    title RHSA-2020:1660: mod_auth_mellon security and bug fix update (Moderate)
rpms
  • mod_auth_mellon-0:0.14.0-8.el7
  • mod_auth_mellon-debuginfo-0:0.14.0-8.el7
  • mod_auth_mellon-diagnostics-0:0.14.0-8.el7
  • mod_auth_mellon-0:0.14.0-11.el8
  • mod_auth_mellon-debuginfo-0:0.14.0-11.el8
  • mod_auth_mellon-debugsource-0:0.14.0-11.el8
  • mod_auth_mellon-diagnostics-0:0.14.0-11.el8
  • mod_auth_mellon-diagnostics-debuginfo-0:0.14.0-11.el8
refmap via4
fedora
  • FEDORA-2019-1444823e77
  • FEDORA-2019-e8d74ece30
misc https://github.com/Uninett/mod_auth_mellon/issues/35#issuecomment-503974885
ubuntu USN-4291-1
Last major update 13-06-2022 - 18:39
Published 29-06-2019 - 14:15
Last modified 13-06-2022 - 18:39
Back to Top