VDB

GCVE-VVD-MAGEIA-2021-452

GCVE-VVD-MAGEIA-2021-452
Advisory Published
Vulnetix · Advisory published October 2, 2021
In versions prior to 2.4.9, `oidc_validate_redirect_url()` does not parse URLs the same way as most browsers do. As a result, this function can be bypassed and leads to an Open Redirect vulnerability in the logout functionality. (CVE-2021-32786) In mod_auth_openidc before version 2.4.9, the AES GCM encryption in mod_auth_openidc uses a static IV and AAD. It is important to fix because this creates a static nonce and since aes-gcm is a stream cipher, this can lead to known cryptographic issues, since the same key is being reused. (CVE-2021-32791) In mod_auth_openidc before version 2.4.9, there is an XSS vulnerability in when using `OIDCPreservePost On`. (CVE-2021-32792)
Download JSON Open in Console

Affected Products

VendorProductVersionsPlatforms
Mageiaapache-mod_auth_openidc0 (affected), 2.4.9.4-1.mga8 (unaffected)

Aliases

CVE-2021-32791CVE-2021-32786CVE-2021-32785CVE-2021-32792

Transitive aliases

RHSA-2025:10002EUVD-2021-19555VVD-CISA-2025-3891GHSA-5fmg-x3vm-cm8vALSA-2022:1823SUSE-SU-2025:01962-1GHSA-v96g-5j57-774cRHSA-2025:10004ALSA-2023:6940GSD-2024-24814VVD-CISA-2024-24814SUSE-SU-2024:2299-1ALSA-2025:9396ALSA-2024:5289VVD-MAGEIA-2024-81OPENSUSE-SU-2025:14972-1ALSA-2025:7419CVE-2024-24814SUSE-SU-2025:01585-1ALSA-2025:4597RHSA-2025:9396SUSE-SU-2024:0758-1SUSE-SU-2025:1337-1BDU:2022-01677BDU:2022-01657BDU:2022-01785ALSA-2023:6365SUSE-SU-2024:0757-1RHSA-2025:4192RHSA-2025:4128CVE-2025-3891BDU:2024-02794RHSA-2025:3997EUVD-2025-10018SUSE-SU-2025:01953-1OPENSUSE-SU-2024:13699-1BDU:2021-05111RHSA-2025:10007SUSE-SU-2025:1465-1ALAS2023-2025-1188RHSA-2025:4227RHSA-2025:7490CVE-2022-23527RHSA-2025:10006RHSA-2025:10010ALSA-2024:9180ALSA-2025:3997WID-SEC-W-2025-0836RHSA-2025:4224RHSA-2024:9180CVE-2019-20479BDU:2025-10948RHSA-2025:10003VVD-CISA-2022-23527RHSA-2024:5289SUSE-SU-2025:1286-1RHSA-2025:4228CVE-2021-39191EUVD-2021-25579EUVD-2019-5978GSD-2023-28625ALSA-2025:7490RHSA-2025:10008EUVD-2024-22186VVD-ANCHORE-2024-24814WID-SEC-W-2024-1850RHSA-2025:7419RHSA-2025:4225RHSA-2025:3945RHSA-2025:4597VVD-CISA-2023-28625EUVD-2023-32293GHSA-797h-qjwj-28jcSUSE-SU-2025:4532-1EUVD-2021-19548EUVD-2021-19554CVE-2025-31492ALAS-2020-1448EUVD-2019-11023BDU:2024-06538SUSE-SU-2025:1324-1EUVD-2025-13653ALAS2-2020-1538EUVD-2022-28556EUVD-2021-19549CVE-2019-14857CVE-2023-28625WID-SEC-W-2025-0956

References

Updated apache-mod_auth_openidc packages fix security vulnerability
advisory
Updated apache-mod_auth_openidc packages fix security vulnerability
issue
Updated apache-mod_auth_openidc packages fix security vulnerability
issue
Updated apache-mod_auth_openidc packages fix security vulnerability
issue
Updated apache-mod_auth_openidc packages fix security vulnerability
issue

Browse GCVE Records

100 records in the GCVE database · Updated April 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

Open in Console Download JSON
$ Console Community · 100/wk Open console ›