CVE-2018-15761: UAA Privilege Escalation | Cloud Foundry

2018-11-01T00:00:00
ID CFOUNDRY:14A5A4246358C548C536F54BD18C460B
Type cloudfoundry
Reporter Cloud Foundry
Modified 2018-11-01T00:00:00

Description

Severity

Critical

Vendor

Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

  • You are using uaa-release versions prior to v64.0
  • You are using uaa versions prior to 4.23.0

Description

Cloud Foundry UAA, release versions prior to v64.0, contains a validation error which allows for privilege escalation. A remote authenticated user may modify the url and content of a consent page to gain a token with arbitrary scopes to escalate their privileges.

Mitigation

Users of affected versions should apply the following mitigations or upgrades:

  • Releases that have fixed this issue include:
    • uaa-release versions v64.0
    • uaa version 4.23.0

Credit

This issue was responsibly reported by the UAA team.

History

2018-11-01: Initial vulnerability report published.