PT-2017-14149 · Apache · Apache Sling Authentication Service

Publicado

2017-12-18

Atualizado

2022-05-14

CVE-2017-15700

CVSS v3.1

8.8

Alta

Vetor

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Apache Sling Authentication Service version 1.4.0

Description A flaw in the org.apache.sling.auth.core.AuthUtil#isRedirectValid method allows an attacker to trick a victim into sending over their credentials through the Sling login form.

Recommendations For Apache Sling Authentication Service version 1.4.0, consider disabling the org.apache.sling.auth.core.AuthUtil#isRedirectValid method until a patch is available. Restrict access to the Sling login form to minimize the risk of exploitation.

Correção

Information Disclosure

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-200

Identificadores relacionados

CVE-2017-15700

GHSA-VCVP-89FQ-HWJ8

Produtos afetados

Apache Sling Authentication Service

PT-2017-14149 · Apache · Apache Sling Authentication Service

CVE-2017-15700

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 6