{"id":"CVE-2019-20479","details":"A flaw was found in mod_auth_openidc before version 2.4.1. An open redirect issue exists in URLs with a slash and backslash at the beginning.","modified":"2026-04-16T04:36:35.554213959Z","published":"2020-02-20T06:15:11.027Z","related":["ALSA-2020:3032","SUSE-SU-2020:0705-1","SUSE-SU-2020:0706-1","SUSE-SU-2025:4532-1","openSUSE-SU-2020:0376-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00034.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27XJYAEONKJDESNE7WVZF5D2Z2OBY5JK/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NGXONXPWTX7DV62TIUIUVOZF4KQ6SIJE/"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/02/msg00035.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00028.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00036.html"},{"type":"FIX","url":"https://github.com/zmartzone/mod_auth_openidc/pull/453"},{"type":"FIX","url":"https://github.com/zmartzone/mod_auth_openidc/commit/02431c0adfa30f478cf2eb20ed6ea51fdf446be7"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openidc/mod_auth_openidc","events":[{"introduced":"0"},{"fixed":"94d2cf2bd4581b0c393b750587b621d33e2f4e0e"},{"fixed":"02431c0adfa30f478cf2eb20ed6ea51fdf446be7"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.4.1"}]}}],"versions":["2.3.11rc1","v1.5","v1.5.1","v1.5.2","v1.5.3","v1.5.4","v1.5.5","v1.6.0","v1.7.0","v1.8.0","v1.8.1","v1.8.10","v1.8.2","v1.8.3","v1.8.4","v1.8.5","v1.8.6","v1.8.7","v1.8.8","v1.8.9","v2.0.0","v2.0.0rc1","v2.0.0rc4","v2.1.0","v2.1.1","v2.1.2","v2.1.3","v2.1.4","v2.1.5","v2.1.6","v2.2.0","v2.3.0","v2.3.0rc0","v2.3.0rc3","v2.3.1","v2.3.10","v2.3.10.1","v2.3.10.2","v2.3.11","v2.3.2","v2.3.3","v2.3.4","v2.3.5","v2.3.6","v2.3.7","v2.3.8","v2.3.9","v2.4.0","v2.4.0.1","v2.4.0.2","v2.4.0.3","v2.4.0.4"],"database_specific":{"vanir_signatures_modified":"2026-04-11T09:39:54Z","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"31"}]},{"events":[{"introduced":"0"},{"last_affected":"32"}]},{"events":[{"introduced":"0"},{"last_affected":"15.1"}]}],"vanir_signatures":[{"deprecated":false,"target":{"file":"src/cache/common.c","function":"oidc_cache_mutex_destroy"},"source":"https://github.com/openidc/mod_auth_openidc/commit/94d2cf2bd4581b0c393b750587b621d33e2f4e0e","signature_version":"v1","signature_type":"Function","id":"CVE-2019-20479-05aa1e3f","digest":{"function_hash":"292571528579285139739553888024721725778","length":553}},{"deprecated":false,"target":{"file":"src/cache/common.c"},"source":"https://github.com/openidc/mod_auth_openidc/commit/94d2cf2bd4581b0c393b750587b621d33e2f4e0e","signature_version":"v1","signature_type":"Line","id":"CVE-2019-20479-339a2278","digest":{"line_hashes":["199370385196264008088677233345752309063","5074136558242366934413352575790907147","65396395535408745366843203444097860275","115734331422631327239312339581567078434","244197310894902504449748704406048077242","279679966921650120632441670303460601414","50353192814854080748463185925216379361","288313765875823845552638405548810835708","329082806999490161391590921094917349001","112785618798974126610844099124471876307","183711922263090499335521941596037306329","116984925139315876825063513942341048620","43917158376661601226679076315876029190","329770745295793924214238739214481751620","119531293556308819516382198959556804849","126490398248283259180254736651881614186","321801973304148796263225390607756681945","259434629331703982302890190343030298605"],"threshold":0.9}},{"deprecated":false,"target":{"file":"src/cache/shm.c"},"source":"https://github.com/openidc/mod_auth_openidc/commit/94d2cf2bd4581b0c393b750587b621d33e2f4e0e","signature_version":"v1","signature_type":"Line","id":"CVE-2019-20479-7bed0376","digest":{"line_hashes":["9786757787665961887895905625459747500","124355243522583329622942131911663822078","53210297840531005206572427125477654461","122317155771460493737853805728013356384","151341049909999925075959818082636278347","115864870007998282574785941438617754608","80445514014107175002522979962412074664"],"threshold":0.9}},{"deprecated":false,"target":{"file":"src/cache/shm.c","function":"oidc_cache_shm_destroy"},"source":"https://github.com/openidc/mod_auth_openidc/commit/94d2cf2bd4581b0c393b750587b621d33e2f4e0e","signature_version":"v1","signature_type":"Function","id":"CVE-2019-20479-a7ec0fae","digest":{"function_hash":"21434340826836178884602067701743101447","length":496}},{"deprecated":false,"target":{"file":"src/cache/common.c","function":"oidc_cache_mutex_post_config"},"source":"https://github.com/openidc/mod_auth_openidc/commit/94d2cf2bd4581b0c393b750587b621d33e2f4e0e","signature_version":"v1","signature_type":"Function","id":"CVE-2019-20479-bf29c084","digest":{"function_hash":"208742624046330703456231157834671144335","length":1286}}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-20479.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}