Date: Mon, 18 Dec 2017 15:45:25 +0000 From: Antonio Sanso <asanso@...be.com> To: dev <dev@...ng.apache.org>, users <users@...ng.apache.org>, "security@...ng.apache.org" <security@...ng.apache.org>, "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>, "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>, François Lajeunesse-Robert <francois.lajeunesse.robert@...il.com> Subject: CVE-2017-15700 - Apache Sling Authentication Service vulnerability Severity: High Vendor: The Apache Software Foundation Versions Affected: Apache Sling Authentication Service 1.4.0 Description: A flaw in the org.apache.sling.auth.core.AuthUtil#isRedirectValid method allows an attacker, through the Sling login form, to trick a victim to send over their credentials. Mitigation: Users should upgrade to version 1.4.2 or later of the Apache Sling Authentication Service module Credit: François Lajeunesse-Robert
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.