Moderate severityNVD Advisory· Published Dec 19, 2018· Updated Sep 17, 2024
Pivotal Concourse allows malicious redirect urls on login
CVE-2018-15798
Description
Pivotal Concourse Release, versions 4.x prior to 4.2.2, login flow allows redirects to untrusted websites. A remote unauthenticated attacker could convince a user to click on a link using the oAuth redirect link with an untrusted website and gain access to that user's access token in Concourse.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/concourse/concourseGo | < 5.2.8 | 5.2.8 |
github.com/concourse/concourseGo | >= 5.3.0, < 5.5.10 | 5.5.10 |
github.com/concourse/concourseGo | >= 5.6.0, < 5.8.1 | 5.8.1 |
Affected products
2- Pivotal/Concoursev5Range: 4.x
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-9689-rx4v-cqgcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-15798ghsaADVISORY
- github.com/concourse/concourse/blob/release/5.2.x/release-notes/v5.2.8.mdghsaWEB
- github.com/concourse/concourse/pull/5350/commits/38cb4cc025e5ed28764b4adc363a0bbf41f3c7cbghsaWEB
- pivotal.io/security/cve-2018-15798ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.