CVE-2019-3877 — MEDIUM (5.8)

Q: How severe is CVE-2019-3877?

CVE-2019-3877 has been rated MEDIUM with a CVSS base score of 5.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-3877?

Check the references section above for vendor advisories and patch information. Affected products include: Mod Auth Mellon Project Mod Auth Mellon, Fedoraproject Fedora, Redhat Enterprise Linux, Canonical Ubuntu Linux.

Vulnerability Description

A vulnerability was found in mod_auth_mellon before v0.14.2. An open redirect in the logout URL allows requests with backslashes to pass through by assuming that it is a relative URL, while the browsers silently convert backslash characters into forward slashes treating them as an absolute URL. This mismatch allows an attacker to bypass the redirect URL validation logic in apr_uri_parse function.

CVSS Score

5.8

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Mod Auth Mellon Project	Mod Auth Mellon	< 0.14.2
Fedoraproject	Fedora	29
Redhat	Enterprise Linux	7.0
Canonical	Ubuntu Linux	18.04

Related Weaknesses (CWE)

CWE-601

References

https://access.redhat.com/errata/RHSA-2019:0766
https://access.redhat.com/errata/RHSA-2019:3421
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3877Issue TrackingPatchThird Party Advisory
https://github.com/Uninett/mod_auth_mellon/commit/62041428a32de402e0be6ba45fe12dPatchThird Party Advisory
https://github.com/Uninett/mod_auth_mellon/issues/35PatchThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://usn.ubuntu.com/3924-1/Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0766
https://access.redhat.com/errata/RHSA-2019:3421
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3877Issue TrackingPatchThird Party Advisory
https://github.com/Uninett/mod_auth_mellon/commit/62041428a32de402e0be6ba45fe12dPatchThird Party Advisory
https://github.com/Uninett/mod_auth_mellon/issues/35PatchThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro

FAQ

What is CVE-2019-3877?

CVE-2019-3877 is a vulnerability with a CVSS score of 5.8 (MEDIUM). A vulnerability was found in mod_auth_mellon before v0.14.2. An open redirect in the logout URL allows requests with backslashes to pass through by assuming that it is a relative URL, while the browse...

How severe is CVE-2019-3877?

CVE-2019-3877 has been rated MEDIUM with a CVSS base score of 5.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-3877?

Check the references section above for vendor advisories and patch information. Affected products include: Mod Auth Mellon Project Mod Auth Mellon, Fedoraproject Fedora, Redhat Enterprise Linux, Canonical Ubuntu Linux.