| id: GO-TEST-ID |
| modules: |
| - module: github.com/concourse/concourse |
| versions: |
| - fixed: 5.2.8 |
| - introduced: 5.3.0 |
| fixed: 5.5.10 |
| - introduced: 5.6.0 |
| fixed: 5.8.1 |
| packages: |
| - package: github.com/concourse/concourse/skymarshal/skyserver |
| summary: Open Redirect |
| description: |- |
| Pivotal Concourse Release, versions 4.x prior to 4.2.2, login flow allows |
| redirects to untrusted websites. A remote unauthenticated attacker could |
| convince a user to click on a link using the oAuth redirect link with an |
| untrusted website and gain access to that user's access token in Concourse. |
| cves: |
| - CVE-2018-15798 |
| ghsas: |
| - GHSA-9689-rx4v-cqgc |
| references: |
| - advisory: https://nvd.nist.gov/vuln/detail/CVE-2018-15798 |
| - fix: https://github.com/concourse/concourse/pull/5350/commits/38cb4cc025e5ed28764b4adc363a0bbf41f3c7cb |
| - web: https://github.com/concourse/concourse/blob/release/5.2.x/release-notes/v5.2.8.md |
| - web: https://pivotal.io/security/cve-2018-15798 |
| notes: |
| - lint: 'modules[0] "github.com/concourse/concourse": 5 versions do not exist: 5.2.8, 5.3.0, 5.5.10, 5.6.0, 5.8.1' |
| - lint: 'modules[0] "github.com/concourse/concourse": packages[0] "github.com/concourse/concourse/skymarshal/skyserver": at least one of vulnerable_at and skip_fix must be set' |
| - lint: 'summary: must contain an affected module or package path (e.g. "github.com/concourse/concourse")' |