Your submission was sent successfully! Close

CVE-2021-3639

Published: 4 August 2021

A flaw was found in mod_auth_mellon where it does not sanitize logout URLs properly. This issue could be used by an attacker to facilitate phishing attacks by tricking users into visiting a trusted web application URL that redirects to an external and potentially malicious server. The highest threat from this liability is to confidentiality and integrity.

Priority

Medium

CVSS 3 base score: 6.1

Status

Package Release Status
libapache2-mod-auth-mellon
Launchpad, Ubuntu, Debian
bionic
Released (0.13.1-1ubuntu0.3)
focal
Released (0.16.0-1ubuntu0.1)
hirsute
Released (0.17.0-1ubuntu0.21.04.1)
impish
Released (0.17.0-1ubuntu1)
jammy
Released (0.17.0-1ubuntu1)
trusty Does not exist

upstream Needs triage

xenial Ignored
(out of standard support)
Patches:
upstream: https://github.com/latchset/mod_auth_mellon/commit/42a11261b9dad2e48d70bdff7c53dd57a12db6f5