CVE-2018-11041

Summary

CVE	CVE-2018-11041
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2018-06-25 15:29:00 UTC
Updated	2018-08-23 17:00:00 UTC
Description	Cloud Foundry UAA, versions later than 4.6.0 and prior to 4.19.0 except 4.10.1 and 4.7.5 and uaa-release versions later than v48 and prior to v60 except v55.1 and v52.9, does not validate redirect URL values on a form parameter used for internal UAA redirects on the login page, allowing open redirects. A remote attacker can craft a malicious link that, when clicked, will redirect users to arbitrary websites after a successful login attempt.

Risk And Classification

Problem Types: CWE-601

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Pivotal Software	Cloud Foundry Uaa	All	All	All	All
Application	Pivotal Software	Cloud Foundry Uaa	All	All	All	All
Application	Pivotal Software	Cloud Foundry Uaa-release	All	All	All	All
Application	Pivotal Software	Cloud Foundry Uaa-release	All	All	All	All

References

Reference	Source	Link	Tags
CVE-2018-11041: UAA open redirect \| Cloud Foundry	CONFIRM	www.cloudfoundry.org	Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

998015 Java (Maven) Security Update for org.cloudfoundry.identity:cloudfoundry-identity-server (GHSA-xh4m-99qp-w483)