#VU86531 Resource exhaustion in mod_auth_openidc


Published: 2024-02-15

Vulnerability identifier: #VU86531

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-24814

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
mod_auth_openidc
Web applications / Modules and components for CMS

Vendor: ZmartZone IAM

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling a vaery large mod_auth_openidc_session_chunks cookie value. A remote attacker can set the cookie to value 99999999 or higher, trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

mod_auth_openidc: 2.4.0 - 2.4.15.1

External links
http://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv
http://github.com/OpenIDC/mod_auth_openidc/commit/4022c12f314bd89d127d1be008b1a80a08e1203d

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


openEuler 22.03 LTS SP3 update for mod_auth_openidc
openEuler 22.03 LTS SP2 update for mod_auth_openidc
openEuler 22.03 LTS SP1 update for mod_auth_openidc
openEuler 22.03 LTS update for mod_auth_openidc
SUSE update for apache2-mod_auth_openidc
SUSE update for apache2-mod_auth_openidc
Fedora 39 update for mod_auth_openidc
Remote denial of service in mod_auth_openidc