Lucene search
Cloud FoundryCFOUNDRY:2DCDD1BA9F5DF59E27CD97E5902753E1HistoryDec 10, 2018 - 12:00 a.m.
CVE-2018-15754: UAA issues tokens across identity providers if users with matching usernames exist | Cloud Foundry
2018-12-1000:00:00
Cloud Foundry
www.cloudfoundry.org
14
EPSS
0.002
Percentile
61.4%
Severity
Medium
Vendor
Cloud Foundry Foundation
Affected Cloud Foundry Products and Versions
- UAA all versions in v60.x, v61.x, v62.x, v63.x, v64.x
Description
Cloud Foundry UAA, all versions in v60.x, v61.x, v62.x, v63.x, and v64.x contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated user with access to one of these accounts may be able to obtain a token for an account of the same username in the other identity provider.
Mitigation
Users of affected versions should apply the following mitigations or upgrades:
-
* UAA release v66.0
Credit
This issue was responsibly reported by the UAA team of Pivotal.
History
2018-12-10: Initial vulnerability report published.
Related
cvelist
cvelist
osv
osv
CVE-2018-15754
2018-12-13 22:29:00
prion
prion
Authorization
2018-12-13 22:29:00
nvd
nvd
CVE-2018-15754
2018-12-13 22:29:00
cloudfoundry
cloudfoundry
cve
cve
CVE-2018-15754
2018-12-13 22:29:00