Apache mod_auth_openidc Vulnerability Exposes Protected Content to Unauthenticated Users
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A significant security vulnerability in Apache’s mod_auth_openidc module has been discovered that could allow unauthorized access to protected web resources.
The flaw, tracked as CVE-2025-31492 and rated 8.2 on the CVSSv4 scale, affects widely deployed OpenID Connect authentication systems and requires immediate attention from system administrators.
A critical bug tracked as CVE-2025-31492 in mod_auth_openidc, an OpenID Certified authentication and authorization module for Apache HTTP server that implements OpenID Connect Relying Party functionality.
Apache mod_auth_openidc Vulnerability
According to Peter Benie, who disclosed the vulnerability, it allows unauthenticated users to view content that should be restricted behind authentication protocols.
The issue, present in all versions prior to 2.4.16.11, specifically affects systems configured with OIDCProviderAuthRequestMethod POST and a Require valid-user authentication policy, when no application-level gateway (such as a reverse proxy or load balancer) is in place.
Under these specific conditions, protected web resources become accessible to anyone, effectively nullifying authentication protections.
“A bug in a mod_auth_openidc results in disclosure of protected content to unauthenticated users,” states the official security advisory published by OpenIDC.
The summary of the vulnerability is given below:
Risk Factors Details Affected ProductsApache mod_auth_openidc versions < 2.4.16.11ImpactUnauthorized disclosure of protected content, including HTTP status, headers, and sensitive dataExploit Prerequisites
– Configuration with OIDCProviderAuthRequestMethod POST- No application-level gateway or load balancer protecting the serverCVSS Score8.2 (High)
The vulnerability stems from an implementation flaw in the module’s content handling system.
When an unauthenticated user requests a protected resource, the server responds with a multipart response containing not only the authentication form but also the actual protected content that should remain hidden.
The issue occurs because the module’s oidc_content_handler function fails to properly check for this specific authentication scenario.
When processing requests, it returns DECLINED instead of blocking the protected content, allowing Apache to append unauthorized content to the response.
In the case where mod_auth_openidc returns a form, it has to return OK from check_userid so as not to go down the error path in httpd.
This means httpd will try to issue the protected resource. oidc_content_handler is called early, which has the opportunity to prevent the normal output being issued by httpd.
“It is hard to notice the error if you’re using an HTTP library to do requests – the invalid data will be silently dropped, a new connection will be created, and the end-user remains none the wiser,” the advisory explains.
Mitigation
Organizations using affected configurations should take immediate action to address this vulnerability. Several mitigation options are available:
Update to patched version: The issue has been fixed in mod_auth_openidc version 2.4.16.11 and later.
Switch authentication method: Changing to OIDCProviderAuthRequestMethod GET (which is the default configuration) avoids triggering the vulnerability.
Deploy a gateway: Implementing an application-level gateway or reverse proxy can effectively hide the leaked content from unauthenticated users.
“If there is an application-level gateway protecting the server, it mitigates the problem by hiding the extra content from the outside world,” notes the security advisory.
The vulnerability affects numerous Linux distributions and platforms that utilize the Apache module.
Major distributions, including Ubuntu, have flagged the issue for evaluation across multiple release versions. Red Hat, which has previously addressed security issues in mod_auth_openidc, is likely to release patches for affected systems.
Organizations using OpenID Connect authentication for Apache servers should audit their configurations immediately and implement the recommended mitigations to protect sensitive web resources from unauthorized access.
#Apache #Cyber_Security #Cyber_Security_News #Vulnerability
Оригинальная версия на сайте:
Apache mod_auth_openidc Vulnerability Exposes Protected Content to Unauthenticated Users
Author: Guru BaranA significant security vulnerability in Apache’s mod_auth_openidc module has been discovered that could allow unauthorized access to protected web resources.
The flaw, tracked as CVE-2025-31492 and rated 8.2 on the CVSSv4 scale, affects widely deployed OpenID Connect authentication systems and requires immediate attention from system administrators.
A critical bug tracked as CVE-2025-31492 in mod_auth_openidc, an OpenID Certified authentication and authorization module for Apache HTTP server that implements OpenID Connect Relying Party functionality.
Apache mod_auth_openidc Vulnerability
According to Peter Benie, who disclosed the vulnerability, it allows unauthenticated users to view content that should be restricted behind authentication protocols.
The issue, present in all versions prior to 2.4.16.11, specifically affects systems configured with OIDCProviderAuthRequestMethod POST and a Require valid-user authentication policy, when no application-level gateway (such as a reverse proxy or load balancer) is in place.
Under these specific conditions, protected web resources become accessible to anyone, effectively nullifying authentication protections.
“A bug in a mod_auth_openidc results in disclosure of protected content to unauthenticated users,” states the official security advisory published by OpenIDC.
The summary of the vulnerability is given below:
Risk Factors Details Affected ProductsApache mod_auth_openidc versions < 2.4.16.11ImpactUnauthorized disclosure of protected content, including HTTP status, headers, and sensitive dataExploit Prerequisites
– Configuration with OIDCProviderAuthRequestMethod POST- No application-level gateway or load balancer protecting the serverCVSS Score8.2 (High)
The vulnerability stems from an implementation flaw in the module’s content handling system.
When an unauthenticated user requests a protected resource, the server responds with a multipart response containing not only the authentication form but also the actual protected content that should remain hidden.
The issue occurs because the module’s oidc_content_handler function fails to properly check for this specific authentication scenario.
When processing requests, it returns DECLINED instead of blocking the protected content, allowing Apache to append unauthorized content to the response.
In the case where mod_auth_openidc returns a form, it has to return OK from check_userid so as not to go down the error path in httpd.
This means httpd will try to issue the protected resource. oidc_content_handler is called early, which has the opportunity to prevent the normal output being issued by httpd.
“It is hard to notice the error if you’re using an HTTP library to do requests – the invalid data will be silently dropped, a new connection will be created, and the end-user remains none the wiser,” the advisory explains.
Mitigation
Organizations using affected configurations should take immediate action to address this vulnerability. Several mitigation options are available:
Update to patched version: The issue has been fixed in mod_auth_openidc version 2.4.16.11 and later.
Switch authentication method: Changing to OIDCProviderAuthRequestMethod GET (which is the default configuration) avoids triggering the vulnerability.
Deploy a gateway: Implementing an application-level gateway or reverse proxy can effectively hide the leaked content from unauthenticated users.
“If there is an application-level gateway protecting the server, it mitigates the problem by hiding the extra content from the outside world,” notes the security advisory.
The vulnerability affects numerous Linux distributions and platforms that utilize the Apache module.
Major distributions, including Ubuntu, have flagged the issue for evaluation across multiple release versions. Red Hat, which has previously addressed security issues in mod_auth_openidc, is likely to release patches for affected systems.
Organizations using OpenID Connect authentication for Apache servers should audit their configurations immediately and implement the recommended mitigations to protect sensitive web resources from unauthorized access.
#Apache #Cyber_Security #Cyber_Security_News #Vulnerability
Оригинальная версия на сайте:
