Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2017-15700

CVE-2017-15700:
Apache Sling Authentication Service vulnerability

8.8

CVSS Score

Basic Information

CVE ID
CVE-2017-15700
GHSA ID
GHSA-vcvp-89fq-hwj8
EPSS Score
-
CWE
CWE-200
Published
5/14/2022
Updated
8/9/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.sling:org.apache.sling.auth.coremaven>= 1.4.0, < 1.4.21.4.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly identifies AuthUtil#isRedirectValid as the flawed method. The CWE-200 (sensitive info exposure) aligns with the credential theft scenario. The method's purpose of validating redirect URLs matches the attack vector described, where improper validation would enable open redirect attacks. Multiple sources (CVE, GHSA, Apache mailing list) consistently reference this method as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w in t** or*.*p****.slin*.*ut*.*or*.*ut*Util#isR**ir**tV*li* m*t*o* in *p**** Slin* *ut**nti**tion S*rvi** *.*.* *llows *n *tt**k*r, t*rou** t** Slin* lo*in *orm, to tri*k * vi*tim to s*n* ov*r t**ir *r***nti*ls.

Reasoning

T** vuln*r**ility **s*ription *xpli*itly i**nti*i*s *ut*Util#isR**ir**tV*li* *s t** *l*w** m*t*o*. T** *W*-*** (s*nsitiv* in*o *xposur*) *li*ns wit* t** *r***nti*l t***t s**n*rio. T** m*t*o*'s purpos* o* v*li**tin* r**ir**t URLs m*t***s t** *tt**k v*