CVE-2015-3190 Open redirect on Login
Severity
Low
Vendor
Cloud Foundry Foundation
Versions Affected
- cf-release versions prior to v210
- UAA versions prior to 2.3.0
Description
The UAA logout link is susceptible to an open redirect which allows an attacker to insert malicious web page as a redirect parameter.
Affected VMware Products and Versions
Severity is low unless otherwise noted.
- Cloud Foundry Runtime cf-release versions v209 or earlier are susceptible to this vulnerability
- UAA Standalone versions 2.2.6 or earlier are susceptible to this vulnerability
- Pivotal Cloud Foundry Runtime 1.4.5 or earlier
Mitigation
Users of affected versions should apply the following mitigation:
- The Cloud Foundry project team recommends that Cloud Foundry Runtime Deployments running Release v209 or earlier upgrade to v210 or later
- The Cloud Foundry project teams recommends that Cloud Foundry UAA standalone deployments running Release 2.2.6 or earlier upgrade to 2.3.0 or later
- It will be patched in a future version of Pivotal Cloud Foundry
Credit
This issue was identified by Mohammed Abdulqader Abobaker Al-saggaf and reported responsibly to the Pivotal Security Team.