CVE-2018-15798

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2018-15798

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-15798.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-15798

Aliases

GHSA-9689-rx4v-cqgc

Published

2018-12-19T22:29:00Z

Modified

2024-11-21T03:51:28Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Pivotal Concourse Release, versions 4.x prior to 4.2.2, login flow allows redirects to untrusted websites. A remote unauthenticated attacker could convince a user to click on a link using the oAuth redirect link with an untrusted website and gain access to that user's access token in Concourse.

References

https://pivotal.io/security/cve-2018-15798

Affected packages

Git / github.com/concourse/concourse

Affected ranges

Type: GIT
Repo: https://github.com/concourse/concourse
Events: Introduced

7577eba5fe060e8239070b4a26cab1d89e266b7c

Fixed

a48dbfa07c3ff6940d4f9de021338101f842c3c9