Pivotal Concourse, most versions prior to 6.0.0, allows redirects to untrusted websites in its login flow. A remote unauthenticated attacker could convince a user to click on a link using the OAuth redirect link with an untrusted website and gain access to that user's access token in Concourse. (This issue is similar to, but distinct from, CVE-2018-15798.)
oryginał ENCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NPivotal Software Concourse
APPPivotal Software< 5.2.85.3.0 – 5.5.10 (bez)5.6.0 – 5.8.1 (bez)
Powiązane podatności
Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnera...
Pivotal Concourse Release, versions 4.x prior to 4.2.2, login flow allows redirects to untrusted websites. A r...
Pivotal Concourse after 2018-03-05 might allow remote attackers to have an unspecified impact, if a customer o...
Concourse (7.x.y prior to 7.8.3 and 6.x.y prior to 6.7.9) contains an authorization bypass issue. A Concourse ...
Pivotal Concourse version 5.0.0, contains an API that is vulnerable to SQL injection. An Concourse resource ca...