A vulnerability was found in mod_auth_mellon before v0.14.2. If Apache is configured as a reverse proxy and mod_auth_mellon is configured to only let through authenticated users (with the require valid-user directive), adding special HTTP headers that are normally used to start the special SAML ECP (non-browser based) can be used to bypass authentication.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2019-03-26T17:44:29

Updated: 2024-08-04T19:19:18.665Z

Reserved: 2019-01-03T00:00:00

Link: CVE-2019-3878

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2019-03-26T18:29:00.983

Modified: 2024-11-21T04:42:46.800

Link: CVE-2019-3878

cve-icon Redhat

Severity : Important

Publid Date: 2018-05-10T00:00:00Z

Links: CVE-2019-3878 - Bugzilla