All advisories

Open redirect vulnerability in Replicated admin console

Affected product(s)

  • Gradle Enterprise < 2021.3.3 (non-Kubernetes)

Severity

High

Related CVE ID(s)

Description

The login page of the Replicated administration console, used to operate a Gradle Enterprise installation, allows a post login open redirect. An attacker may use this to obtain the login password by having an administrator with a valid login password follow a crafted login URL that redirects to a page of their design on successful login, prompting for the password again allowing them to obtain it. This is a form of phishing attack.

The vulnerable component is not used for Kubernetes based installations.

Mitigation

Upgrade to Gradle Enterprise 2021.3.3 or later, or seperately update your Replicated administration console to 2.53.1 or later.

Credit

Stephan Sekula <stephan.sekula@compass-security.com>

References