[Bug 2106320] Re: OIDCProviderAuthRequestMethod POST leaks protected data

Eduardo Barretto 2106320 at bugs.launchpad.net
Mon Apr 14 09:29:27 UTC 2025 

** Also affects: libapache2-mod-auth-openidc (Ubuntu Plucky)
   Importance: Undecided
       Status: New

** Also affects: libapache2-mod-auth-openidc (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: libapache2-mod-auth-openidc (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Also affects: libapache2-mod-auth-openidc (Ubuntu Oracular)
   Importance: Undecided
       Status: New

** Also affects: libapache2-mod-auth-openidc (Ubuntu Noble)
   Importance: Undecided
       Status: New

** Also affects: libapache2-mod-auth-openidc (Ubuntu Jammy)
   Importance: Undecided
       Status: New

** Changed in: libapache2-mod-auth-openidc (Ubuntu Jammy)
     Assignee: (unassigned) => Eduardo Barretto (ebarretto)

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to libapache2-mod-auth-openidc in Ubuntu.
https://bugs.launchpad.net/bugs/2106320

Title:
  OIDCProviderAuthRequestMethod POST leaks protected data

Status in libapache2-mod-auth-openidc package in Ubuntu:
  New
Status in libapache2-mod-auth-openidc source package in Bionic:
  New
Status in libapache2-mod-auth-openidc source package in Focal:
  New
Status in libapache2-mod-auth-openidc source package in Jammy:
  New
Status in libapache2-mod-auth-openidc source package in Noble:
  New
Status in libapache2-mod-auth-openidc source package in Oracular:
  New
Status in libapache2-mod-auth-openidc source package in Plucky:
  New

Bug description:
  Versions up to and including 2.4.16.10
  CVE-2025-31492

  When doing authentication, and when configured with
  OIDCProviderAuthRequestMethod POST, the protected resource is appended
  to the normal http response. This exposes protected data to people who
  have not been authenticated/authorised.

  https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-59jp-
  rwph-878r

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-openidc/+bug/2106320/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list