{"id":"CVE-2017-6062","details":"The \"OpenID Connect Relying Party and OAuth 2.0 Resource Server\" (aka mod_auth_openidc) module before 2.1.5 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an \"OIDCUnAuthAction pass\" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic.","modified":"2026-04-11T04:59:43.970563Z","published":"2017-03-02T06:59:00.230Z","references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V3HIGXMUKJGOBMAQAQPGC7G5YYWSUVA/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EJXBG3DG2FUYFGTUTSJFMPIINVFKKB4Z/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTWUMQ46GZY3O4WU4JCF333LN53R2XQH/"},{"type":"FIX","url":"https://github.com/pingidentity/mod_auth_openidc/blob/master/ChangeLog"},{"type":"FIX","url":"https://github.com/pingidentity/mod_auth_openidc/issues/222"},{"type":"FIX","url":"https://github.com/pingidentity/mod_auth_openidc/releases/tag/v2.1.5"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openidc/mod_auth_openidc","events":[{"introduced":"0"},{"last_affected":"66a873398aaa816460f00c3fa167315cf22436e0"},{"fixed":"e81822a7d5f5bdf04ba03ca92680821893303850"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.1.4"}]}}],"versions":["v1.5","v1.5.1","v1.5.2","v1.5.3","v1.5.4","v1.5.5","v1.6.0","v1.7.0","v1.8.0","v1.8.1","v1.8.10","v1.8.2","v1.8.3","v1.8.4","v1.8.5","v1.8.6","v1.8.7","v1.8.8","v1.8.9","v2.0.0","v2.0.0rc1","v2.0.0rc4","v2.1.0","v2.1.1","v2.1.2","v2.1.3","v2.1.4"],"database_specific":{"vanir_signatures_modified":"2026-04-11T04:59:43Z","vanir_signatures":[{"deprecated":false,"id":"CVE-2017-6062-52ab9169","digest":{"threshold":0.9,"line_hashes":["324389110975062152997128778931728905211","152318813777326227190711828689954873884","121968274078813223348073188492985639520","195878975772069471775001186274537783816","14068290540346082033104791455712297064","110055679037368288760605636742227139861","111294165517741646199017371710611676395","278945173429800584441645734551228449926","142421153620309442185703083496499538401","236743154285405913172971894557261355266","143690780221429256596881591379080579095","83774172051446986695428302243052929936","117984124392778747583104912066583298362","173927667228971011105139773653306542747","286862810251338442830903801741102728729","130566670204652639318084985979800826271","329389427395940680308013088225565378365","145764464254468082961938229952210584802"]},"target":{"file":"src/mod_auth_openidc.c"},"signature_type":"Line","signature_version":"v1","source":"https://github.com/openidc/mod_auth_openidc/commit/e81822a7d5f5bdf04ba03ca92680821893303850"},{"deprecated":false,"id":"CVE-2017-6062-77543a8e","digest":{"function_hash":"23087062502499850250068183479776194754","length":1680},"target":{"function":"oidc_check_userid_openidc","file":"src/mod_auth_openidc.c"},"signature_type":"Function","signature_version":"v1","source":"https://github.com/openidc/mod_auth_openidc/commit/e81822a7d5f5bdf04ba03ca92680821893303850"},{"deprecated":false,"id":"CVE-2017-6062-c9ad601c","digest":{"function_hash":"301378486185075427509235490601443248735","length":2785},"target":{"function":"oidc_handle_existing_session","file":"src/mod_auth_openidc.c"},"signature_type":"Function","signature_version":"v1","source":"https://github.com/openidc/mod_auth_openidc/commit/e81822a7d5f5bdf04ba03ca92680821893303850"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-6062.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"}]}