Command and Control
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 18.104.22.168, the 3rd-party init SSO functionality of mod_auth_openidc was reported to be vulnerable to an open redirect attack by supplying a crafted URL in the
target_link_uri parameter. A patch in version 22.214.171.124 made it so that the
OIDCRedirectURLsAllowed setting must be applied to the
target_link_uri parameter. There are no known workarounds aside from upgrading to a patched version.