PT-2017-14149 · Apache · Apache Sling Authentication Service

Published

2017-12-18

Updated

2022-05-14

CVE-2017-15700

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Apache Sling Authentication Service version 1.4.0

Description A flaw in the org.apache.sling.auth.core.AuthUtil#isRedirectValid method allows an attacker to trick a victim into sending over their credentials through the Sling login form.

Recommendations For Apache Sling Authentication Service version 1.4.0, consider disabling the org.apache.sling.auth.core.AuthUtil#isRedirectValid method until a patch is available. Restrict access to the Sling login form to minimize the risk of exploitation.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2017-15700

GHSA-VCVP-89FQ-HWJ8

Affected Products

Apache Sling Authentication Service

PT-2017-14149 · Apache · Apache Sling Authentication Service

CVE-2017-15700

Weakness Enumeration

Related Identifiers

Affected Products

References · 6