Open redirect vulnerability in Replicated admin console
- Gradle Enterprise < 2021.3.3 (non-Kubernetes)
Related CVE ID(s)
The login page of the Replicated administration console, used to operate a Gradle Enterprise installation, allows a post login open redirect. An attacker may use this to obtain the login password by having an administrator with a valid login password follow a crafted login URL that redirects to a page of their design on successful login, prompting for the password again allowing them to obtain it. This is a form of phishing attack.
The vulnerable component is not used for Kubernetes based installations.
Upgrade to Gradle Enterprise 2021.3.3 or later, or seperately update your Replicated administration console to 2.53.1 or later.
Stephan Sekula <email@example.com>