The OpenID Connect Relying Party and OAuth 2.0 Resource Server (aka mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an AuthType oauth20 configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic.
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Mod_auth_openidc | Openidc | * | 2.1.5 (including) |