'[oss-security] CVE-2017-15700 - Apache Sling Authentication Service vulnerability'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2017-15700 - Apache Sling Authentication Service vulnerability
From:       Antonio Sanso <asanso () adobe ! com>
Date:       2017-12-18 15:45:25
Message-ID: B2EABFD5-AB0F-45B2-893A-FC86F95A59F0 () adobe ! com
[Download RAW message or body]

Severity: High

Vendor: The Apache Software Foundation

Versions Affected:
Apache Sling Authentication Service 1.4.0

Description:
A flaw in the org.apache.sling.auth.core.AuthUtil#isRedirectValid method al=
lows an attacker, through the Sling login form, to trick a victim to send o=
ver their credentials.

Mitigation:
Users should upgrade to version 1.4.2 or later of the Apache Sling Authenti=
cation Service module

Credit:
Fran=E7ois Lajeunesse-Robert
 =
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic