{"id":"CVE-2021-32791","details":"mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, the AES GCM encryption in mod_auth_openidc uses a static IV and AAD. It is important to fix because this creates a static nonce and since aes-gcm is a stream cipher, this can lead to known cryptographic issues, since the same key is being reused. From 2.4.9 onwards this has been patched to use dynamic values through usage of cjose AES encryption routines.","modified":"2026-04-10T09:34:21.569340Z","published":"2021-07-26T17:15:08.100Z","related":["ALSA-2022:1823","GHSA-px3c-6x7j-3r9r","MGASA-2021-0452","SUSE-SU-2021:3020-1","SUSE-SU-2021:3352-1","SUSE-SU-2025:4532-1","openSUSE-SU-2021:1277-1","openSUSE-SU-2021:3020-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QXAWKPT5LXZSUTFSJ6IWSZC7RMYYQXQD/"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00034.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZVF6BSJLRQZ7PFFR4X5JSU6KUJYNOCU/"},{"type":"ADVISORY","url":"https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.4.9"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://github.com/zmartzone/mod_auth_openidc/commit/375407c16c61a70b56fdbe13b0d2c8f11398e92c"},{"type":"FIX","url":"https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-px3c-6x7j-3r9r"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openidc/mod_auth_openidc","events":[{"introduced":"0"},{"fixed":"e33cd488cb9ce027dae692e06767a0ba7ed5e1de"},{"fixed":"375407c16c61a70b56fdbe13b0d2c8f11398e92c"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.4.9"}]}}],"versions":["2.3.11rc1","v1.5","v1.5.1","v1.5.2","v1.5.3","v1.5.4","v1.5.5","v1.6.0","v1.7.0","v1.8.0","v1.8.1","v1.8.10","v1.8.2","v1.8.3","v1.8.4","v1.8.5","v1.8.6","v1.8.7","v1.8.8","v1.8.9","v2.0.0","v2.0.0rc1","v2.0.0rc4","v2.1.0","v2.1.1","v2.1.2","v2.1.3","v2.1.4","v2.1.5","v2.1.6","v2.2.0","v2.3.0","v2.3.0rc0","v2.3.0rc3","v2.3.1","v2.3.10","v2.3.10.1","v2.3.10.2","v2.3.11","v2.3.2","v2.3.3","v2.3.4","v2.3.5","v2.3.6","v2.3.7","v2.3.8","v2.3.9","v2.4.0","v2.4.0.1","v2.4.0.2","v2.4.0.3","v2.4.0.4","v2.4.1","v2.4.2","v2.4.2.1","v2.4.3","v2.4.4","v2.4.4.1","v2.4.5","v2.4.6","v2.4.7","v2.4.7.1","v2.4.7.2","v2.4.8.1","v2.4.8.2","v2.4.8.3","v2.4.8.4"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-32791.json","vanir_signatures":[{"signature_type":"Function","deprecated":false,"target":{"file":"src/cache/common.c","function":"oidc_cache_crypto_encrypt"},"source":"https://github.com/openidc/mod_auth_openidc/commit/375407c16c61a70b56fdbe13b0d2c8f11398e92c","digest":{"function_hash":"250562795330335019704681508981657810738","length":1022},"id":"CVE-2021-32791-3410a732","signature_version":"v1"},{"signature_type":"Function","deprecated":false,"target":{"file":"src/cache/common.c","function":"oidc_cache_crypto_decrypt"},"source":"https://github.com/openidc/mod_auth_openidc/commit/375407c16c61a70b56fdbe13b0d2c8f11398e92c","digest":{"function_hash":"253291170206590963414822622960361785398","length":1008},"id":"CVE-2021-32791-46f4b063","signature_version":"v1"},{"signature_type":"Function","deprecated":false,"target":{"file":"src/cache/common.c","function":"oidc_cache_hash_passphrase"},"source":"https://github.com/openidc/mod_auth_openidc/commit/375407c16c61a70b56fdbe13b0d2c8f11398e92c","digest":{"function_hash":"92559305399557349051024400105335262763","length":401},"id":"CVE-2021-32791-553199b1","signature_version":"v1"},{"signature_type":"Function","deprecated":false,"target":{"file":"src/cache/common.c","function":"oidc_cache_set"},"source":"https://github.com/openidc/mod_auth_openidc/commit/375407c16c61a70b56fdbe13b0d2c8f11398e92c","digest":{"function_hash":"50824039619987814630976910488863822291","length":1242},"id":"CVE-2021-32791-7c79f001","signature_version":"v1"},{"signature_type":"Function","deprecated":false,"target":{"file":"src/cache/common.c","function":"oidc_cache_crypto_decrypt_impl"},"source":"https://github.com/openidc/mod_auth_openidc/commit/375407c16c61a70b56fdbe13b0d2c8f11398e92c","digest":{"function_hash":"176896071813901854226229414800413303095","length":1392},"id":"CVE-2021-32791-b09aaed3","signature_version":"v1"},{"signature_type":"Function","deprecated":false,"target":{"file":"src/cache/common.c","function":"oidc_cache_crypto_encrypt_impl"},"source":"https://github.com/openidc/mod_auth_openidc/commit/375407c16c61a70b56fdbe13b0d2c8f11398e92c","digest":{"function_hash":"260838582536566669801506875545538336068","length":1357},"id":"CVE-2021-32791-d011d3db","signature_version":"v1"},{"signature_type":"Function","deprecated":false,"target":{"file":"src/cache/common.c","function":"oidc_cache_get"},"source":"https://github.com/openidc/mod_auth_openidc/commit/375407c16c61a70b56fdbe13b0d2c8f11398e92c","digest":{"function_hash":"191306385702304762739582899165071079665","length":1215},"id":"CVE-2021-32791-d89c75c5","signature_version":"v1"},{"signature_type":"Line","deprecated":false,"target":{"file":"src/cache/common.c"},"source":"https://github.com/openidc/mod_auth_openidc/commit/375407c16c61a70b56fdbe13b0d2c8f11398e92c","digest":{"threshold":0.9,"line_hashes":["156255299053112132762825430703316685951","185322592414925009870069742229243925281","53077520254561320782236454456918075650","254083255781670708536352374402204558354","309705482797698645281036614972150766612","55596712159067281806908116373566538977","84194749974628692869610081683736835521","165082338396806535767783375325166712491","228432075416671078617478664271417844586","191981506873061424291028388386391452137","205188685741364318779881990275770020336","316419983629328583114539586127423720370","311710907834770073962670615904202742590","270073058618608343218324127931830520580","138765397666076883972120750158076296892","244332763180239870671873805361981494663","300737313482164176804694803115580284903","238801984068005562838700130738979606645","138071990061186975927139445381290948950","259409784909711448242533626166111232754","73138705246083704374596506765049971632","177236131095428911212035955905038567509","22798411808482757467429707341782841184","153187384264951755713272029343660758854","234708831839674554995417639633134429645","97656718973528419498363433997672785125","51242457202506791262137908173213209662","198027294770867711374492104184935191240","80868086533319287985849148989544490014","46368458574390256871403767342170195242","305880151762903202189229001346931335009","82974136985871116221968187965535929127","130062306459255247634997894165593173138","89019374499921317236331394997350886848","314002807482099249436170259679197952385","132380489555540993166853155187532881021","322432942619653871755104958929373553995","259610954863542919056704193535718531392","324191877213770532430056140983706237187","53383834391029722230732632049727023154","114387955504679482013840692972064713848","280378827662732245948463272096552034615","203996651793267496415451604780220988197","293326475122764766260644978888108293722","95729155691427145684339468703153563168","245723954451457860889408282434054373636","115943576989866641670493706107413173586","236568710890346818824847308900736135936","328377700892884975336616739288968901693","30973060583518789268000972351659584596","32053057207480748183225093597615470773","162340190057482888003137666960454809063","47146610669871313358843590766378724675","121257360076279913431622994110345007724","177279646214215416488218712767986179993","171546736445558953101849600662931211756","48717214881218353481460509844269438176","274199032952300622984721613388704048206","237130047246986339797716806874535256998","313045581465844685793173706417468348973","323938763407312416072374703961615642336","138765397666076883972120750158076296892","179021268317662932767539471728071399703","324810305206288551572737972225144765161","196207910761685844419776034502131067922","99214296289839573948641986879161611978","181210774179821199455689550857917081822","73138705246083704374596506765049971632","177236131095428911212035955905038567509","22798411808482757467429707341782841184","273986279088130521633017444225678510150","314263628720835063468260579140147328126","178813311421197209317072016097923494974","143873146936613498137960863036359229722","203715353371403376813695884763466604190","84425043420407738705951521414416376018","114321257168265669991991562885158585043","177661523318807723927793893372656869941","82974136985871116221968187965535929127","267020731388996753184654188027805998956","95675083945555218329235750495416802178","91281501756069869219357338600675578611","251436727255526947383912453373739341094","86736183212505594516515948252001820934","185820299094294138319837208074039466261","117767176230266335329757578349304777297","304309579774504136860325387697859945116","235077689107710489444333963504948040097","115943576989866641670493706107413173586","178833977551813297628572917353412508528","283007344168748427212877960911516846248","81322756089128139711197852553800192157","146166316099635626901933722042625945840","19375195380225878589981173916950095945","306764790122684195755536818738449794374","143473923512351953000835025819580460932","219918108354817816131577267692347409021","305008275453871914384847731849684867239","271734265648167322391392687390881126030","288158354002000898471703494893002776358","287501850322777688808828095357270606887","271993161305591042065111199585692787711","202849444701857101156506562090229155551","222530814494381549727197926042021112453","336117438746694390551409458528333340472","36557650504945223163325635937308271647","212197518205525887293162166189643666555","14784282809329029709119730525844231133","260176515667011240000757008518488315070","157292760012261719827299418547174991839","25729069699896415045081174686752951209","163195046734169846524590459271239901910","137275941152841539402810957254504423444","228550037123715063894460863578371212890","175042122345452822417388964727334243450","246433797705758489959633535565609139057","29025851836674290808864752459967329033","274314788340541785678938008475746684669","59701318902070282612588018106700441525","58170460660986822379666441162675999754","336639650282290500040268905661720950332","150855182980544184518145085698278708497","214299401321645115811199823543088507945","310895999707247267231641501706901721453","309253957919172556550589572273854087767","179940984525260183442130975464073211470","192471994038102284919894870262102670828","55124859756815677150913944727755851251","32947196513718841680853484668746031990","120369357079827996010447062080773437228","124790436746860775234890363684953623788","300902328261019738144554051477834001050","188341716053790642162499271155991792245","311601661279178601871761169935069410043","309679747613813734959786711242906088579","265385428548396502206694659555296784732","149029695148744732399590320257344728573","247546088238601544072053656992701940727","177999829571181083172904626586024140255","174709420379309456293207700957998264119","257095437694711076023426478486175571895","112858089363619379363049024627870940162","265552441252624724999559024793892565289","242027663179629251001183686536210570192","94094832206342472030443059238186210308","221999485828388373779050376092529821423","345056343527617326979729894228745516","23384767702050693418708274746118604573","294348920675214431865169042858078146588","33893954883833251117728074751273231512","193474062961431651982352860151493739498","10367704454035058052106491587507404989","81856479111069059516291474039158055590","244662673701351858712566981365946129652","315685382776965195265456549100834903254","273339387013300340995948591319434145560","280775413612433996582589722032924931996","167084860716988408737267124957575204613","77293621828517668845180878031115258444","130717820849760010136541191818035038658","27096666673301751355656568763214285709","143518177815869853396915484595329372174","209347392112805043778297463263768550625","267838456551841246928457283525050318943","122790786193497619639323968044031303296","300427781318550251026411708842414678209","211875299269214495200244449351432868335","201869273277298355807783989755294843884","140566006237809142175797415761922379980","143472556069293780384827232790043821025","30907675188096213550587303178631308135","3018200365705476605301182116554601993","6420698597928211904023905589700018327","4837903225659652994195057726413603756","69525278581386573656809325595102475467","325035940259067012504222201895847386103","311076769045797049163895009707638937826","86464905528834507614831290596024761271","246768602825653831206553748305897171181","86581943982539732380777537330213171379","327867292626799737776852731001696956510","271302530594332220157473755058955561656","45780866610219483222391657253722135178","188707219644572020049444330752623766405","160623757648229900260145248064962663049","297609638882992040082083692645027411572","158762335211648551940359522845606898975","303489669007547327707305747243946164552","334087797540359583226625728866182353743","39456851190398403873336383536361689848","5061869216630355881703523949798831773","164626675210803499492045307372711140616","4690441673581269876355375338999005532","15613556383921681392927587028246834110","47982920697339794782163443690033108042","202675862216766258252345687695578894212","75864251001848929021535781604510667505","314703375081631966549474215970673234553","173037247205717303652133944661148772387","329243072330259438500205364650830114156","267702587742755581392400240582507191573","313725410371641276062868119392461527964","71684941468643183913431112031536192984","253581847142487442144932972536058580897","265782079289039989211817996059054698194"]},"id":"CVE-2021-32791-dd64ec79","signature_version":"v1"}],"vanir_signatures_modified":"2026-04-10T09:34:21Z","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"33"}]},{"events":[{"introduced":"0"},{"last_affected":"34"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}