4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
0.002 Low
EPSS
Percentile
60.1%
mod_auth_openidc is an authentication/authorization module for the Apache
2.x HTTP server that functions as an OpenID Connect Relying Party,
authenticating users against an OpenID Connect Provider. In
mod_auth_openidc before version 2.4.9, the AES GCM encryption in
mod_auth_openidc uses a static IV and AAD. It is important to fix because
this creates a static nonce and since aes-gcm is a stream cipher, this can
lead to known cryptographic issues, since the same key is being reused.
From 2.4.9 onwards this has been patched to use dynamic values through
usage of cjose AES encryption routines.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | libapache2-mod-auth-openidc | < any | UNKNOWN |
ubuntu | 20.04 | noarch | libapache2-mod-auth-openidc | < any | UNKNOWN |
ubuntu | 16.04 | noarch | libapache2-mod-auth-openidc | < any | UNKNOWN |
github.com/zmartzone/mod_auth_openidc/commit/375407c16c61a70b56fdbe13b0d2c8f11398e92c
github.com/zmartzone/mod_auth_openidc/commit/375407c16c61a70b56fdbe13b0d2c8f11398e92c (v2.4.9)
github.com/zmartzone/mod_auth_openidc/releases/tag/v2.4.9
github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-px3c-6x7j-3r9r
launchpad.net/bugs/cve/CVE-2021-32791
nvd.nist.gov/vuln/detail/CVE-2021-32791
security-tracker.debian.org/tracker/CVE-2021-32791
www.cve.org/CVERecord?id=CVE-2021-32791
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
0.002 Low
EPSS
Percentile
60.1%