Open Redirect Affecting org.cloudfoundry.identity:cloudfoundry-identity-uaa package, versions [4.6.0,4.7.5) (4.7.5,4.10.1) (4.10.1,4.19.0)


0.0
medium
  • Attack Complexity

    Low

  • User Interaction

    Required

  • Scope

    Changed

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-ORGCLOUDFOUNDRYIDENTITY-32396

  • published

    1 Jul 2018

  • disclosed

    25 Jun 2018

  • credit

    Unknown

How to fix?

Upgrade org.cloudfoundry.identity:cloudfoundry-identity-uaa to version 4.19.0 and higher

Overview

org.cloudfoundry.identity:cloudfoundry-identity-uaa is a multi tenant identity management service, used in Cloud Foundry, but also available as a stand alone OAuth2 server.

Affected versions of this package are vulnerable to Open Redirects. It does not validate redirect URL values on a form parameter used for internal UAA redirects on the login page, allowing open redirects. A remote attacker can craft a malicious link that, when clicked, will redirect users to arbitrary websites after a successful login attempt.