CVE-2015-3190 - Open redirect on Login


Severity

Low

Vendor

Cloud Foundry Foundation

Versions Affected
  • cf-release versions prior to v210
  • UAA versions prior to 2.3.0
Description

The UAA logout link is susceptible to an open redirect which allows an attacker to insert malicious web page as a redirect parameter.

Affected Pivotal Products and Versions

Severity is low unless otherwise noted.

  • Cloud Foundry Runtime cf-release versions v209 or earlier are susceptible to this vulnerability
  • UAA Standalone versions 2.2.6 or earlier are susceptible to this vulnerability
  • Pivotal Cloud Foundry Runtime 1.4.5 or earlier
Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry project team recommends that Cloud Foundry Runtime Deployments running Release v209 or earlier upgrade to v210 or later
  • The Cloud Foundry project teams recommends that Cloud Foundry UAA standalone deployments running Release 2.2.6 or earlier upgrade to 2.3.0 or later
  • It will be patched in a future version of Pivotal Cloud Foundry
Credit

This issue was identified by Mohammed Abdulqader Abobaker Al-saggaf and reported responsibly to the Pivotal Security Team.