Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 18 Dec 2017 15:45:25 +0000
From: Antonio Sanso <asanso@...be.com>
To: dev <dev@...ng.apache.org>, users <users@...ng.apache.org>,
	"security@...ng.apache.org" <security@...ng.apache.org>,
	"oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>,
	"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
	Fran├žois Lajeunesse-Robert
	<francois.lajeunesse.robert@...il.com>
Subject: CVE-2017-15700 - Apache Sling Authentication Service vulnerability

Severity: High

Vendor: The Apache Software Foundation

Versions Affected:
Apache Sling Authentication Service 1.4.0

Description:
A flaw in the org.apache.sling.auth.core.AuthUtil#isRedirectValid method allows an attacker, through the Sling login form, to trick a victim to send over their credentials.

Mitigation:
Users should upgrade to version 1.4.2 or later of the Apache Sling Authentication Service module

Credit:
Fran├žois Lajeunesse-Robert
 

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.