VDB
CVE-2021-32791
CVE-2021-32791
PUBLISHED
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, the AES GCM encryption in mod_auth_openidc uses a static IV and AAD. It is important to fix because this creates a static nonce and since aes-gcm is a stream cipher, this can lead to known cryptographic issues, since the same key is being reused. From 2.4.9 onwards this has been patched to use dynamic values through usage of cjose AES encryption routines.
EPSS 0.51% · 67.0th percentile
Risk Scores
EPSS Score
0.51%
67.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:20.04:LTS | libapache2-mod-auth-openidc | 0, 2.3.10.2-1, 2.4.0.4-1 |
| Ubuntu:18.04:LTS | libapache2-mod-auth-openidc | 0, 2.1.6-1, 2.3.1-2 |
Timeline
- CVE Published
- Jul 27, 2021 EPSS Score
- Aug 5, 2021 EPSS Score
- Aug 8, 2021 EPSS Score
- Nov 22, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Jan 21, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Mar 21, 2022 EPSS Score
- May 19, 2022 EPSS Score
- Jul 18, 2022 EPSS Score
- Sep 15, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2021-32791 third-party-advisory
- https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-px3c-6x7j-3r9r third-party-advisory
- https://github.com/zmartzone/mod_auth_openidc/commit/375407c16c61a70b56fdbe13b0d2c8f11398e92c third-party-advisory
- https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.4.9 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2021-32791 third-party-advisory