{"id":"RLSA-2022:1823","summary":"Moderate: mod_auth_openidc:2.3 security update","details":"The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server. \n\nSecurity Fix(es):\n\n* mod_auth_openidc: open redirect in oidc_validate_redirect_url() (CVE-2021-32786)\n\n* mod_auth_openidc: hardcoded static IV and AAD with a reused key in AES GCM encryption (CVE-2021-32791)\n\n* mod_auth_openidc: XSS when using OIDCPreservePost On (CVE-2021-32792)\n\n* mod_auth_openidc: open redirect due to target_link_uri parameter not validated (CVE-2021-39191)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Rocky Linux 8.6 Release Notes linked from the References section.","modified":"2026-02-04T19:15:12.519123Z","published":"2022-05-10T06:30:32Z","upstream":["CVE-2021-32786","CVE-2021-32791","CVE-2021-32792","CVE-2021-39191"],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2022:1823"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1986102"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1986395"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1986397"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2001646"}],"affected":[{"package":{"name":"cjose","ecosystem":"Rocky Linux:8","purl":"pkg:rpm/rocky-linux/cjose?distro=rocky-linux-8&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:0.6.1-2.module+el8.3.0+129+2feafa46"}],"database_specific":{"yum_repository":"AppStream"}}],"database_specific":{"source":"https://storage.googleapis.com/resf-osv-data/RLSA-2022:1823.json"}},{"package":{"name":"mod_auth_openidc","ecosystem":"Rocky Linux:8","purl":"pkg:rpm/rocky-linux/mod_auth_openidc?distro=rocky-linux-8-6-legacy&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:2.3.7-11.module+el8.6.0+840+73eca44e"}],"database_specific":{"yum_repository":"AppStream"}}],"database_specific":{"source":"https://storage.googleapis.com/resf-osv-data/RLSA-2022:1823.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]}