| id: GO-ID-PENDING |
| modules: |
| - module: github.com/concourse/concourse |
| non_go_versions: |
| - fixed: 5.2.8 |
| - introduced: 5.3.0 |
| fixed: 5.5.10 |
| - introduced: 5.6.0 |
| fixed: 5.8.1 |
| vulnerable_at: 4.2.3+incompatible |
| packages: |
| - package: github.com/concourse/concourse/skymarshal/skyserver |
| summary: Open Redirect in github.com/concourse/concourse |
| description: |- |
| Pivotal Concourse Release, versions 4.x prior to 4.2.2, login flow allows |
| redirects to untrusted websites. A remote unauthenticated attacker could |
| convince a user to click on a link using the oAuth redirect link with an |
| untrusted website and gain access to that user's access token in Concourse. |
| cves: |
| - CVE-2018-15798 |
| ghsas: |
| - GHSA-9689-rx4v-cqgc |
| references: |
| - advisory: https://github.com/advisories/GHSA-9689-rx4v-cqgc |
| - advisory: https://nvd.nist.gov/vuln/detail/CVE-2018-15798 |
| - fix: https://github.com/concourse/concourse/pull/5350/commits/38cb4cc025e5ed28764b4adc363a0bbf41f3c7cb |
| - web: https://github.com/concourse/concourse/blob/release/5.2.x/release-notes/v5.2.8.md |
| - web: https://pivotal.io/security/cve-2018-15798 |
| source: |
| id: GHSA-9689-rx4v-cqgc |
| created: 1999-01-01T00:00:00Z |
| review_status: UNREVIEWED |
