PT-2018-10261 · Cloud Foundry · Cloud Foundry Uaa+1
Published
2018-06-25
·
Updated
2022-05-14
·
CVE-2018-11041
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Cloud Foundry UAA versions later than 4.6.0 and prior to 4.19.0, excluding versions 4.10.1 and 4.7.5
uaa-release versions later than v48 and prior to v60, excluding versions v55.1 and v52.9
Description
The issue allows open redirects due to a lack of validation of redirect URL values on a form parameter used for internal redirects on the login page. A remote attacker can craft a malicious link that redirects users to arbitrary websites after a successful login attempt.
Recommendations
For Cloud Foundry UAA versions later than 4.6.0 and prior to 4.19.0, excluding versions 4.10.1 and 4.7.5, update to a version that includes the fix for this issue.
For uaa-release versions later than v48 and prior to v60, excluding versions v55.1 and v52.9, update to a version that includes the fix for this issue.
As a temporary workaround, consider restricting access to the login page or implementing additional validation on redirect URL values to minimize the risk of exploitation.
Fix
Open Redirect
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cloud Foundry Uaa
Uaa-Release