Name | CVE-2021-3639 |
Description | A flaw was found in mod_auth_mellon where it does not sanitize logout URLs properly. This issue could be used by an attacker to facilitate phishing attacks by tricking users into visiting a trusted web application URL that redirects to an external and potentially malicious server. The highest threat from this liability is to confidentiality and integrity. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DLA-3359-1 |
Debian Bugs | 991730 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|---|---|---|
libapache2-mod-auth-mellon (PTS) | jessie | 0.9.1-1 | vulnerable |
stretch (security), stretch (lts), stretch | 0.12.0-2+deb9u1 | vulnerable | |
buster | 0.14.2-1 | vulnerable | |
buster (security) | 0.14.2-1+deb10u1 | fixed | |
bullseye | 0.17.0-1+deb11u1 | fixed | |
bookworm | 0.18.1-1 | fixed | |
sid, trixie | 0.19.0-1 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
libapache2-mod-auth-mellon | source | jessie | (unfixed) | end-of-life | ||
libapache2-mod-auth-mellon | source | buster | 0.14.2-1+deb10u1 | DLA-3359-1 | ||
libapache2-mod-auth-mellon | source | bullseye | 0.17.0-1+deb11u1 | |||
libapache2-mod-auth-mellon | source | (unstable) | 0.18.0-1 | 991730 |
[stretch] - libapache2-mod-auth-mellon <no-dsa> (Minor issue)
https://github.com/latchset/mod_auth_mellon/commit/42a11261b9dad2e48d70bdff7c53dd57a12db6f5