[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 18 Dec 2017 15:45:25 +0000
From: Antonio Sanso <asanso@...be.com>
To: dev <dev@...ng.apache.org>, users <users@...ng.apache.org>,
"security@...ng.apache.org" <security@...ng.apache.org>,
"oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>,
"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
François Lajeunesse-Robert
<francois.lajeunesse.robert@...il.com>
Subject: CVE-2017-15700 - Apache Sling Authentication Service vulnerability
Severity: High
Vendor: The Apache Software Foundation
Versions Affected:
Apache Sling Authentication Service 1.4.0
Description:
A flaw in the org.apache.sling.auth.core.AuthUtil#isRedirectValid method allows an attacker, through the Sling login form, to trick a victim to send over their credentials.
Mitigation:
Users should upgrade to version 1.4.2 or later of the Apache Sling Authentication Service module
Credit:
François Lajeunesse-Robert
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
