Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Mod_auth_mellon
(Uninett)| Repositories | https://github.com/UNINETT/mod_auth_mellon |
| #Vulnerabilities | 6 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2022-08-22 | CVE-2021-3639 | A flaw was found in mod_auth_mellon where it does not sanitize logout URLs properly. This issue could be used by an attacker to facilitate phishing attacks by tricking users into visiting a trusted web application URL that redirects to an external and potentially malicious server. The highest threat from this liability is to confidentiality and integrity. | Mod_auth_mellon | 6.1 | ||
| 2014-11-15 | CVE-2014-8566 | The mod_auth_mellon module before 0.8.1 allows remote attackers to obtain sensitive information or cause a denial of service (segmentation fault) via unspecified vectors related to a "session overflow" involving "sessions overlapping in memory." | Linux, Mod_auth_mellon | N/A | ||
| 2014-11-14 | CVE-2014-8567 | The mod_auth_mellon module before 0.8.1 allows remote attackers to cause a denial of service (Apache HTTP server crash) via a crafted logout request that triggers a read of uninitialized data. | Enterprise_linux_desktop, Enterprise_linux_server, Enterprise_linux_server_aus, Enterprise_linux_server_eus, Enterprise_linux_server_tus, Enterprise_linux_workstation, Mod_auth_mellon | N/A | ||
| 2017-03-13 | CVE-2017-6807 | mod_auth_mellon before 0.13.1 is vulnerable to a Cross-Site Session Transfer attack, where a user with access to one web site running on a server can copy their session cookie to a different web site on the same server to get access to that site. | Mod_auth_mellon | 6.1 | ||
| 2016-04-15 | CVE-2016-2146 | The am_read_post_data function in mod_auth_mellon before 0.11.1 does not limit the amount of data read, which allows remote attackers to cause a denial of service (worker process crash, web server deadlock, or memory consumption) via a large amount of POST data. | Fedora, Mod_auth_mellon | 7.5 | ||
| 2016-04-15 | CVE-2016-2145 | The am_read_post_data function in mod_auth_mellon before 0.11.1 does not check if the ap_get_client_block function returns an error, which allows remote attackers to cause a denial of service (segmentation fault and process crash) via a crafted POST data. | Fedora, Mod_auth_mellon | 7.5 |