PublicDateAtUSN: 2019-03-21
Candidate: CVE-2019-3878
PublicDate: 2019-03-26 18:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3878
 https://github.com/Uninett/mod_auth_mellon/pull/196
 https://ubuntu.com/security/notices/USN-3924-1
 https://ubuntu.com/security/notices/USN-4597-1
Description:
 A vulnerability was found in mod_auth_mellon before v0.14.2. If Apache is
 configured as a reverse proxy and mod_auth_mellon is configured to only let
 through authenticated users (with the require valid-user directive), adding
 special HTTP headers that are normally used to start the special SAML ECP
 (non-browser based) can be used to bypass authentication.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925197
 https://bugzilla.redhat.com/show_bug.cgi?id=1576719
Priority: medium
Discovered-by:
Assigned-to: leosilva
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H [8.1 HIGH]


Patches_libapache2-mod-auth-mellon:
 upstream: https://github.com/Uninett/mod_auth_mellon/commit/e09a28a30e13e5c22b481010f26b4a7743a09280
upstream_libapache2-mod-auth-mellon: needs-triage
precise/esm_libapache2-mod-auth-mellon: DNE
trusty_libapache2-mod-auth-mellon: ignored (reached end-of-life)
trusty/esm_libapache2-mod-auth-mellon: DNE (trusty was needs-triage)
xenial_libapache2-mod-auth-mellon: released (0.12.0-2+deb9u1build0.16.04.1)
bionic_libapache2-mod-auth-mellon: released (0.13.1-1ubuntu0.1)
cosmic_libapache2-mod-auth-mellon: released (0.14.0-1ubuntu0.1)
disco_libapache2-mod-auth-mellon: released (0.14.2-1ubuntu1)
eoan_libapache2-mod-auth-mellon: released (0.14.2-1ubuntu1)
focal_libapache2-mod-auth-mellon: released (0.14.2-1ubuntu1)
groovy_libapache2-mod-auth-mellon: released (0.14.2-1ubuntu1)
devel_libapache2-mod-auth-mellon: released (0.14.2-1ubuntu1)