CVE-2019-3877 MEDIUM

CVE-2019-3877

Vendor Uninett
Product mod_auth_mellon
Weakness CWE-601 · Open redirect
Published March 27, 2019
Last update August 4, 2024

CVSS base score

5.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

What the vulnerability does

01Description

A vulnerability was found in mod_auth_mellon before v0.14.2. An open redirect in the logout URL allows requests with backslashes to pass through by assuming that it is a relative URL, while the browsers silently convert backslash characters into forward slashes treating them as an absolute URL. This mismatch allows an attacker to bypass the redirect URL validation logic in apr_uri_parse function.

Key dates

02Disclosure timeline

March 27, 2019 CVE published
August 4, 2024 Record updated