Candidate: CVE-2017-6413
PublicDate: 2017-03-02 06:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6413
Description:
 The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka
 mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not
 skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "AuthType oauth20"
 configuration, which allows remote attackers to bypass authentication via
 crafted HTTP traffic.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N [8.6 HIGH]

Patches_libapache2-mod-auth-openidc:
 upstream: https://github.com/pingidentity/mod_auth_openidc/commit/21e3728a825c41ab41efa75e664108051bb9665e
upstream_libapache2-mod-auth-openidc: released (2.1.6-1)
precise_libapache2-mod-auth-openidc: DNE
precise/esm_libapache2-mod-auth-openidc: DNE
trusty_libapache2-mod-auth-openidc: DNE
trusty/esm_libapache2-mod-auth-openidc: DNE
vivid/stable-phone-overlay_libapache2-mod-auth-openidc: DNE
vivid/ubuntu-core_libapache2-mod-auth-openidc: DNE
xenial_libapache2-mod-auth-openidc: ignored (end of standard support, was needed)
yakkety_libapache2-mod-auth-openidc: ignored (reached end-of-life)
zesty_libapache2-mod-auth-openidc: ignored (reached end-of-life)
artful_libapache2-mod-auth-openidc: ignored (reached end-of-life)
bionic_libapache2-mod-auth-openidc: not-affected (2.3.3-1build1)
cosmic_libapache2-mod-auth-openidc: not-affected (2.3.3-1build1)
disco_libapache2-mod-auth-openidc: not-affected (2.3.3-1build1)
eoan_libapache2-mod-auth-openidc: not-affected (2.3.3-1build1)
focal_libapache2-mod-auth-openidc: not-affected (2.3.3-1build1)
groovy_libapache2-mod-auth-openidc: not-affected (2.3.3-1build1)
hirsute_libapache2-mod-auth-openidc: not-affected (2.3.3-1build1)
impish_libapache2-mod-auth-openidc: not-affected (2.3.3-1build1)
jammy_libapache2-mod-auth-openidc: not-affected (2.3.3-1build1)
devel_libapache2-mod-auth-openidc: not-affected (2.3.3-1build1)