UBUNTU-CVE-2019-3878

Advisory lineage Upstream: 1 Downstream: 2

Upstream

CVE-2019-3878

Downstream

USN-3924-1 USN-4597-1

Published: 21 Mar 2019, 00:00

Last modified:04 Feb 2026, 04:14

Vulnerability Summary

Overall Risk (default)

medium

32/100

CVSS Score

8.1 HIGH

3.0 (osv_ubuntu)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

21 Mar 2019, 00:00

Published

Vulnerability first disclosed

04 Feb 2026, 04:14

Last Modified

Vulnerability information updated

Description

A vulnerability was found in mod_auth_mellon before v0.14.2. If Apache is configured as a reverse proxy and mod_auth_mellon is configured to only let through authenticated users (with the require valid-user directive), adding special HTTP headers that are normally used to start the special SAML ECP (non-browser based) can be used to bypass authentication.

CVSS Metrics

v3.0•HIGH•Score: 8.1CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Affected Systems

ubuntu•libapache2-mod-auth-mellon
< 0.12.0-2+deb9u1build0.16.04.1 | < 0.13.1-1ubuntu0.1 | < 0.14.2-1ubuntu1