CVE-2018-15798

HIGH

Concourse 4.0.0-4.2.1 and 0-5.2.7 - Unauthenticated Open Redirect via oAuth Login Flow

Title source: llm
STIX 2.1

Description

Pivotal Concourse Release, versions 4.x prior to 4.2.2, login flow allows redirects to untrusted websites. A remote unauthenticated attacker could convince a user to click on a link using the oAuth redirect link with an untrusted website and gain access to that user's access token in Concourse.

References (1)

Core 1
Core References
Release Notes, Vendor Advisory x_refsource_confirm
https://pivotal.io/security/cve-2018-15798

Scores

CVSS v3 7.6
EPSS 0.0115
EPSS Percentile 62.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

Details

CWE
CWE-601
Status published
Products (2)
concourse/concourse 0 - 5.2.8Go
pivotal_software/concourse 4.0.0 - 4.2.2
Published Dec 19, 2018
Tracked Since Feb 18, 2026