平台
apache
组件
mod_auth_openidc
修复版本
2.4.10
CVE-2021-32792 describes a cross-site scripting (XSS) vulnerability affecting the modauthopenidc Apache module. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users. It impacts versions of modauthopenidc up to and including 2.4.9. A fix is available in version 2.4.9.
The XSS vulnerability arises when the OIDCPreservePost On directive is enabled within the modauthopenidc configuration. Attackers can exploit this by crafting malicious requests that inject JavaScript code into the OpenID Connect authentication flow. When a user subsequently authenticates, the injected script executes in their browser context, potentially allowing the attacker to steal cookies, redirect the user to a malicious site, or deface the web application. The blast radius extends to any user who authenticates through the vulnerable OpenID Connect integration.
This vulnerability was publicly disclosed on 2021-07-26. No known active exploitation campaigns have been reported. There are publicly available proof-of-concept exploits demonstrating the XSS vulnerability. It is not listed on the CISA KEV catalog.
Web applications using modauthopenidc for authentication with OpenID Connect, particularly those with the OIDCPreservePost On directive enabled, are at risk. Shared hosting environments where users can configure Apache modules are also vulnerable.
• apache / server:
grep -r 'OIDCPreservePost On' /etc/httpd/conf.d/*• apache / server:
journalctl -u httpd | grep 'mod_auth_openidc'disclosure
漏洞利用状态
EPSS
0.17% (38% 百分位)
CVSS 向量
The primary mitigation for CVE-2021-32792 is to upgrade the modauthopenidc module to version 2.4.9 or later. If upgrading is not immediately feasible, consider disabling the OIDCPreservePost On directive in the Apache configuration. This will prevent the vulnerable code path from being executed, but may impact the functionality of the OpenID Connect integration. Monitor Apache access logs for unusual POST requests containing suspicious script tags. After upgrading, confirm the fix by attempting to trigger the XSS vulnerability with a crafted request and verifying that the script is not executed.
Actualice el módulo mod_auth_openidc a la versión 2.4.9 o superior. Esta versión corrige la vulnerabilidad XSS al usar la directiva `OIDCPreservePost On`.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2021-32792 is a cross-site scripting (XSS) vulnerability in the modauthopenidc Apache module, affecting versions up to 2.4.9 when OIDCPreservePost On is enabled.
You are affected if you are using modauthopenidc version 2.4.9 or earlier and have the OIDCPreservePost On directive enabled in your Apache configuration.
Upgrade modauthopenidc to version 2.4.9 or later. Alternatively, disable the OIDCPreservePost On directive in your Apache configuration.
While no active exploitation campaigns are currently known, a public proof-of-concept exists, making exploitation possible.
Refer to the Apache Security Advisory for details: https://httpd.apache.org/security/announcements/CVE-2021-32792.html