[Bug 2106320] Re: OIDCProviderAuthRequestMethod POST leaks protected data
Nishit Majithia
2106320 at bugs.launchpad.net
Tue Jun 3 11:05:19 UTC 2025
** Changed in: libapache2-mod-auth-openidc (Ubuntu Focal)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to libapache2-mod-auth-openidc in Ubuntu.
https://bugs.launchpad.net/bugs/2106320
Title:
OIDCProviderAuthRequestMethod POST leaks protected data
Status in libapache2-mod-auth-openidc package in Ubuntu:
Fix Committed
Status in libapache2-mod-auth-openidc source package in Bionic:
New
Status in libapache2-mod-auth-openidc source package in Focal:
Won't Fix
Status in libapache2-mod-auth-openidc source package in Jammy:
Fix Released
Status in libapache2-mod-auth-openidc source package in Noble:
Fix Released
Status in libapache2-mod-auth-openidc source package in Oracular:
Fix Released
Status in libapache2-mod-auth-openidc source package in Plucky:
Fix Released
Bug description:
Versions up to and including 2.4.16.10
CVE-2025-31492
When doing authentication, and when configured with
OIDCProviderAuthRequestMethod POST, the protected resource is appended
to the normal http response. This exposes protected data to people who
have not been authenticated/authorised.
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-59jp-
rwph-878r
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-openidc/+bug/2106320/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list