Authentication Flaw in Apache Sling Authentication Service
CVE-2017-15700

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Sling
Vendor: CVE Published:; 18 December 2017

Summary

An exploitable flaw in the Apache Sling Authentication Service allows attackers to manipulate the redirection process during user authentication. By leveraging the vulnerabilities in the org.apache.sling.auth.core.AuthUtil#isRedirectValid method, attackers can deceive victims into unwittingly submitting their credentials. This could lead to unauthorized access and potential exposure of sensitive information, emphasizing the need for robust security measures to protect against such deceptive techniques.

Affected Version(s)

Apache Sling Authentication Service 1.4.0

References

https://lists.apache.org/thread.html/182bed1dd6933824a81c...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Dec 18, 2017
Vulnerability Reserved
Oct 21, 2017