Date: Mon, 18 Dec 2017 15:45:25 +0000 From: Antonio Sanso <asanso@...be.com> To: dev <dev@...ng.apache.org>, users <users@...ng.apache.org>, "security@...ng.apache.org" <security@...ng.apache.org>, "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>, "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>, François Lajeunesse-Robert <francois.lajeunesse.robert@...il.com> Subject: CVE-2017-15700 - Apache Sling Authentication Service vulnerability Severity: High Vendor: The Apache Software Foundation Versions Affected: Apache Sling Authentication Service 1.4.0 Description: A flaw in the org.apache.sling.auth.core.AuthUtil#isRedirectValid method allows an attacker, through the Sling login form, to trick a victim to send over their credentials. Mitigation: Users should upgrade to version 1.4.2 or later of the Apache Sling Authentication Service module Credit: François Lajeunesse-Robert
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ