Open Redirect Affecting org.cloudfoundry.identity:cloudfoundry-identity-uaa package, versions [4.6.0,4.7.5) (4.7.5,4.10.1) (4.10.1,4.19.0)
Do your applications use this vulnerable package?
1 Jul 2018
25 Jun 2018
How to fix?
org.cloudfoundry.identity:cloudfoundry-identity-uaa to version 4.19.0 and higher
org.cloudfoundry.identity:cloudfoundry-identity-uaa is a multi tenant identity management service, used in Cloud Foundry, but also available as a stand alone OAuth2 server.
Affected versions of this package are vulnerable to Open Redirects. It does not validate redirect URL values on a form parameter used for internal UAA redirects on the login page, allowing open redirects. A remote attacker can craft a malicious link that, when clicked, will redirect users to arbitrary websites after a successful login attempt.