blob: 60516e97511e091d905013f843b9d81be0958438 [file] [log] [blame]
id: GO-TEST-ID
modules:
- module: github.com/concourse/concourse
versions:
- fixed: 5.2.8
- introduced: 5.3.0
fixed: 5.5.10
- introduced: 5.6.0
fixed: 5.8.1
packages:
- package: github.com/concourse/concourse/skymarshal/skyserver
summary: Open Redirect in github.com/concourse/concourse
description: |-
Pivotal Concourse Release, versions 4.x prior to 4.2.2, login flow allows
redirects to untrusted websites. A remote unauthenticated attacker could
convince a user to click on a link using the oAuth redirect link with an
untrusted website and gain access to that user's access token in Concourse.
cves:
- CVE-2018-15798
ghsas:
- GHSA-9689-rx4v-cqgc
references:
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2018-15798
- fix: https://github.com/concourse/concourse/pull/5350/commits/38cb4cc025e5ed28764b4adc363a0bbf41f3c7cb
- web: https://github.com/concourse/concourse/blob/release/5.2.x/release-notes/v5.2.8.md
- web: https://pivotal.io/security/cve-2018-15798
notes:
- lint: 'modules[0] "github.com/concourse/concourse": 5 versions do not exist: 5.2.8, 5.3.0, 5.5.10, 5.6.0, 5.8.1'
- lint: 'modules[0] "github.com/concourse/concourse": packages[0] "github.com/concourse/concourse/skymarshal/skyserver": at least one of vulnerable_at and skip_fix must be set'