CVE-2018-15798

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2018-15798

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-15798.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-15798

Aliases

GHSA-9689-rx4v-cqgc

Published

2018-12-19T22:29:00.547Z

Modified

2026-04-10T04:07:54.271487Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Pivotal Concourse Release, versions 4.x prior to 4.2.2, login flow allows redirects to untrusted websites. A remote unauthenticated attacker could convince a user to click on a link using the oAuth redirect link with an untrusted website and gain access to that user's access token in Concourse.

References

https://pivotal.io/security/cve-2018-15798

Affected packages

Git / github.com/concourse/concourse

Affected ranges

Type

GIT

Repo

https://github.com/concourse/concourse

Events

Introduced

7577eba5fe060e8239070b4a26cab1d89e266b7c

Fixed

a48dbfa07c3ff6940d4f9de021338101f842c3c9

Database specific

{
    "versions": [
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "4.2.2"
        }
    ]
}

Affected versions

v4.*

v4.0.0

v4.1.0

v4.2.0

v4.2.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-15798.json"