Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 18 Dec 2017 15:45:25 +0000
From: Antonio Sanso <asanso@...be.com>
To: dev <dev@...ng.apache.org>, users <users@...ng.apache.org>,
	"security@...ng.apache.org" <security@...ng.apache.org>,
	"oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>,
	"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
	Fran├žois Lajeunesse-Robert
	<francois.lajeunesse.robert@...il.com>
Subject: CVE-2017-15700 - Apache Sling Authentication Service vulnerability

Severity: High

Vendor: The Apache Software Foundation

Versions Affected:
Apache Sling Authentication Service 1.4.0

Description:
A flaw in the org.apache.sling.auth.core.AuthUtil#isRedirectValid method allows an attacker, through the Sling login form, to trick a victim to send over their credentials.

Mitigation:
Users should upgrade to version 1.4.2 or later of the Apache Sling Authentication Service module

Credit:
Fran├žois Lajeunesse-Robert
 

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ