CVE-2018-11041 — Open Redirect in Software Cloud Foundry UAA

CWE-601 — Open Redirect3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

0.2%

top 55.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pivotal Software Cloud Foundry UAA Pivotal Software Cloud Foundry Uaa-release Cloud Foundry UAA

Timeline

PublishedJun 25

Latest updateMay 14

Description

Cloud Foundry UAA, versions later than 4.6.0 and prior to 4.19.0 except 4.10.1 and 4.7.5 and uaa-release versions later than v48 and prior to v60 except v55.1 and v52.9, does not validate redirect URL values on a form parameter used for internal UAA redirects on the login page, allowing open redirects. A remote attacker can craft a malicious link that, when clicked, will redirect users to arbitrary websites after a successful login attempt.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶NVDpivotal_software/cloud_foundry_uaa-release< 52.9+2

▶NVDpivotal_software/cloud_foundry_uaa< 4.7.5+2

▶CVEListV5cloud_foundry/cloud_foundry_uaalater than 4.6.0 and prior to 4.19.0 except 4.10.1 and 4.7.5

🔴Vulnerability Details

GHSA

Cloud Foundry UAA open redirect↗2022-05-14

▶

OSV

Cloud Foundry UAA open redirect↗2022-05-14

▶