You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@sling.apache.org by Antonio Sanso <as...@adobe.com.INVALID> on 2017/12/18 15:45:25 UTC

CVE-2017-15700 - Apache Sling Authentication Service vulnerability

Severity: High

Vendor: The Apache Software Foundation

Versions Affected:
Apache Sling Authentication Service 1.4.0

Description:
A flaw in the org.apache.sling.auth.core.AuthUtil#isRedirectValid method allows an attacker, through the Sling login form, to trick a victim to send over their credentials.

Mitigation:
Users should upgrade to version 1.4.2 or later of the Apache Sling Authentication Service module

Credit:
François Lajeunesse-Robert