DellCVELIST:CVE-2018-15798CVE-2018-15798 Pivotal Concourse allows malicious redirect urls on login
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
AI Score
Confidence
High
EPSS
Percentile
49.6%
Pivotal Concourse Release, versions 4.x prior to 4.2.2, login flow allows redirects to untrusted websites. A remote unauthenticated attacker could convince a user to click on a link using the oAuth redirect link with an untrusted website and gain access to that user’s access token in Concourse.
CNA Affected
[
{
"product": "Concourse",
"vendor": "Pivotal",
"versions": [
{
"lessThan": "4.2.2",
"status": "affected",
"version": "4.x",
"versionType": "custom"
}
]
}
]References
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
AI Score
Confidence
High
EPSS
Percentile
49.6%