Lucene search
Cloud FoundryCFOUNDRY:96F36837000610EEEAFDC33512B4E961HistoryNov 07, 2017 - 12:00 a.m.
CVE-2017-8031: UAA Denial of Service through client token revocation endpoint | Cloud Foundry
2017-11-0700:00:00
Cloud Foundry
www.cloudfoundry.org
22
0.001 Low
EPSS
Percentile
29.8%
Severity
Medium
Vendor
Cloud Foundry Foundation
Affected Cloud Foundry Products and Versions
- cf-release
- All versions prior to v279
- UAA
- 30.x versions prior to 30.6
- 45.x versions prior to 45.4
- 52.x versions prior to 52.1
Description
In some cases, the UAA allows an authenticated user for a particular client to revoke client tokens for other users on the same client. This occurs only if the client is using opaque tokens or JWT tokens validated using the check_token endpoint. A malicious actor could cause denial of service.
Mitigation
Users of affected versions should apply the following mitigations or upgrades.
- Releases that have fixed this issue include:
- cf-release: v279
- UAA: 30.6, 45.4, 52.1
Credit
This issue was responsibly reported by the UAA team.
History
2017-11-07: Initial vulnerability report published.
2017-11-16: Added cf-release version info.
Related
veracode
veracode
Denial Of Service (DoS) Through Token Revocation
2017-11-09 07:30:11
osv
osv
CVE-2017-8031
2017-11-27 10:29:00
Cloud Foundry UAA Denial of Service through client token revocation endpoint
2022-05-13 01:10:00
cvelist
cvelist
CVE-2017-8031
2017-11-27 10:00:00
github
github
Cloud Foundry UAA Denial of Service through client token revocation endpoint
2022-05-13 01:10:00
cve
cve
CVE-2017-8031
2017-11-27 10:29:00
nvd
nvd
CVE-2017-8031
2017-11-27 10:29:00
prion
prion
Design/Logic Flaw
2017-11-27 10:29:00