concourse-6.7.1/release-notes/v4.2.2.md

#### <sub><sup><a name="v422-note-1" href="#v422-note-1">:link:</a></sup></sub> fix, security

* Fixed an open redirect vulnerability with the login flow that enabled phishy URLs to be crafted to send your auth token to an arbitrary URL.

  This issue affected all versions after and including [**v4.0.0**](https://github.com/concourse/concourse/releases/tag/v4.0.0). The attack vector requires user interaction, but we still highly recommend upgrading to this version now that the exploit is public.