CVE-2017-15700: Apache Sling Authentication Service vulnerability

May 14, 2022 (updated August 9, 2024)

A flaw in the org.apache.sling.auth.core.AuthUtil#isRedirectValid method in Apache Sling Authentication Service 1.4.0 allows an attacker, through the Sling login form, to trick a victim to send over their credentials.

References

github.com/advisories/GHSA-vcvp-89fq-hwj8
github.com/apache/sling-org-apache-sling-auth-core
lists.apache.org/thread.html/182bed1dd6933824a81cc5f07639eeb813fbd8f2cc49d51b452ab621@%3Cdev.sling.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2017-15700

Detect and mitigate CVE-2017-15700 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →