Medium
Cloud Foundry Foundation
In some cases, the UAA allows an authenticated user for a particular client to revoke client tokens for other users on the same client. This occurs only if the client is using opaque tokens or JWT tokens validated using the check_token endpoint. A malicious actor could cause denial of service.
Users of affected versions should apply the following mitigations or upgrades.
This issue was responsibly reported by the UAA team.
2017-11-07: Initial vulnerability report published.
2017-11-16: Added cf-release version info.