CVE-2017-15700 Apache Sling Authentication Service Vulnerability

漏洞类别:CGI

漏洞等级:

漏洞信息

Apache Sling is a web framework that uses a Java Content Repository, such as Apache Jackrabbit, to store and manage content.

A vulnerability in the ‘org.apache.sling.auth.core.AuthUtil#isRedirectValid’ method in Apache Sling Authentication Service 1.4.0 allows an attacker, through the Sling login form, to trick a victim to send over their credentials.

Affected Versions:
Apache Sling Authentication Service version 1.4.0

QID Detection Logic:
This QID checks for Apache Sling installations running with default credentials and that have vulnerable versions of Apache Sling Authentication Service module.

漏洞危害

An unauthenticated, remote attacker could exploit this vulnerability to steal users’ credentials.

解决方案

Customers are advised to upgrade to version 1.4.2 or later of the Apache Sling Authentication Service module.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

Apache Sling

Leave a Reply