CVE-2015-3190 - Open redirect on Login
Cloud Foundry Foundation
- cf-release versions prior to v210
- UAA versions prior to 2.3.0
The UAA logout link is susceptible to an open redirect which allows an attacker to insert malicious web page as a redirect parameter.
Severity is low unless otherwise noted.
- Cloud Foundry Runtime cf-release versions v209 or earlier are susceptible to this vulnerability
- UAA Standalone versions 2.2.6 or earlier are susceptible to this vulnerability
- Pivotal Cloud Foundry Runtime 1.4.5 or earlier
Users of affected versions should apply the following mitigation:
- The Cloud Foundry project team recommends that Cloud Foundry Runtime Deployments running Release v209 or earlier upgrade to v210 or later
- The Cloud Foundry project teams recommends that Cloud Foundry UAA standalone deployments running Release 2.2.6 or earlier upgrade to 2.3.0 or later
- It will be patched in a future version of Pivotal Cloud Foundry
This issue was identified by Mohammed Abdulqader Abobaker Al-saggaf and reported responsibly to the Pivotal Security Team.