High
Cloud Foundry Foundation
CF UAA versions prior to 74.1.0 can request scopes for a client that shouldn’t be allowed by submitting an array of requested scopes. A remote malicious user can escalate their own privileges to any scope, allowing them to take control of UAA and the resources it controls.
Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:
This issue was responsibly reported by Amit Laish – GE Digital Cyber Security Team.
2019-09-10: Initial vulnerability report published.