Platform
apache
Component
mod_auth_openidc
Opgelost in
2.4.10
CVE-2021-32792 describes a cross-site scripting (XSS) vulnerability affecting the modauthopenidc Apache module. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users. It impacts versions of modauthopenidc up to and including 2.4.9. A fix is available in version 2.4.9.
The XSS vulnerability arises when the OIDCPreservePost On directive is enabled within the modauthopenidc configuration. Attackers can exploit this by crafting malicious requests that inject JavaScript code into the OpenID Connect authentication flow. When a user subsequently authenticates, the injected script executes in their browser context, potentially allowing the attacker to steal cookies, redirect the user to a malicious site, or deface the web application. The blast radius extends to any user who authenticates through the vulnerable OpenID Connect integration.
This vulnerability was publicly disclosed on 2021-07-26. No known active exploitation campaigns have been reported. There are publicly available proof-of-concept exploits demonstrating the XSS vulnerability. It is not listed on the CISA KEV catalog.
Web applications using modauthopenidc for authentication with OpenID Connect, particularly those with the OIDCPreservePost On directive enabled, are at risk. Shared hosting environments where users can configure Apache modules are also vulnerable.
• apache / server:
grep -r 'OIDCPreservePost On' /etc/httpd/conf.d/*• apache / server:
journalctl -u httpd | grep 'mod_auth_openidc'disclosure
Exploit Status
EPSS
0.17% (38% percentiel)
CVSS-vector
The primary mitigation for CVE-2021-32792 is to upgrade the modauthopenidc module to version 2.4.9 or later. If upgrading is not immediately feasible, consider disabling the OIDCPreservePost On directive in the Apache configuration. This will prevent the vulnerable code path from being executed, but may impact the functionality of the OpenID Connect integration. Monitor Apache access logs for unusual POST requests containing suspicious script tags. After upgrading, confirm the fix by attempting to trigger the XSS vulnerability with a crafted request and verifying that the script is not executed.
Actualice el módulo mod_auth_openidc a la versión 2.4.9 o superior. Esta versión corrige la vulnerabilidad XSS al usar la directiva `OIDCPreservePost On`.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2021-32792 is a cross-site scripting (XSS) vulnerability in the modauthopenidc Apache module, affecting versions up to 2.4.9 when OIDCPreservePost On is enabled.
You are affected if you are using modauthopenidc version 2.4.9 or earlier and have the OIDCPreservePost On directive enabled in your Apache configuration.
Upgrade modauthopenidc to version 2.4.9 or later. Alternatively, disable the OIDCPreservePost On directive in your Apache configuration.
While no active exploitation campaigns are currently known, a public proof-of-concept exists, making exploitation possible.
Refer to the Apache Security Advisory for details: https://httpd.apache.org/security/announcements/CVE-2021-32792.html
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.