DEBIAN-CVE-2019-3877

Advisory lineage Upstream: 1 Downstream: 1

Upstream

CVE-2019-3877

Downstream

DSA-4414-1

Published: 27 Mar 2019, 13:29

Last modified:28 Apr 2026, 20:20

Vulnerability Summary

Overall Risk (default)

low

24/100

CVSS Score

6.1 MEDIUM

3.0 (osv_debian)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

27 Mar 2019, 13:29

Published

Vulnerability first disclosed

28 Apr 2026, 20:20

Last Modified

Vulnerability information updated

Description

A vulnerability was found in mod_auth_mellon before v0.14.2. An open redirect in the logout URL allows requests with backslashes to pass through by assuming that it is a relative URL, while the browsers silently convert backslash characters into forward slashes treating them as an absolute URL. This mismatch allows an attacker to bypass the redirect URL validation logic in apr_uri_parse function.

CVSS Metrics

v3.0•MEDIUM•Score: 6.1CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected Systems

debian•libapache2-mod-auth-mellon
< 0.14.2-1 | < 0.14.2-1 | < 0.14.2-1 | < 0.14.2-1

References (1)

https://security-tracker.debian.org/tracker/CVE-2019-3877