High
Cloud Foundry Foundation
BOSH allows refresh tokens to be used as access tokens when using UAA for authentication. A remote attacker with an admin refresh token given by UAA can be used to access BOSH resources without obtaining an access token, even if their user no longer has access to those resources.
Users of affected versions should apply the following mitigations or upgrades:
This issue was responsibly reported by Dr. Nic Williams, Stark and Wayne.
2018-10-03: Initial vulnerability report published.