#VU86531 Resource exhaustion in mod_auth_openidc - CVE-2024-24814


Vulnerability identifier: #VU86531

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-24814

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
mod_auth_openidc
Web applications / Modules and components for CMS

Vendor: ZmartZone IAM

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling a vaery large mod_auth_openidc_session_chunks cookie value. A remote attacker can set the cookie to value 99999999 or higher, trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

mod_auth_openidc: 2.4.0 - 2.4.15.1

External links
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv
https://github.com/OpenIDC/mod_auth_openidc/commit/4022c12f314bd89d127d1be008b1a80a08e1203d

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Anolis OS update for mod_auth_openidc:2.3 module
Multiple vulnerabilities in IBM Cloud Pak for AIOps
Red Hat Enterprise Linux 9 update for mod_auth_openidc
SUSE update for apache2-mod_auth_openidc
openEuler 22.03 LTS SP3 update for mod_auth_openidc
openEuler 22.03 LTS SP2 update for mod_auth_openidc
openEuler 22.03 LTS SP1 update for mod_auth_openidc
openEuler 22.03 LTS update for mod_auth_openidc
SUSE update for apache2-mod_auth_openidc
SUSE update for apache2-mod_auth_openidc