CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS
Percentile
21.0%
CVSS score: 2.7 (Low)
Cloud Foundry Foundation
All versions
This disclosure regards a vulnerability related to UAA refresh tokens and external identity providers.
Assuming that:
It is expected that the UAA would reject a refresh token during a refresh token grant, but it does not (hence the vulnerability). It will continue to issue access tokens to request presenting such refresh tokens, as if the identity provider was still active.
As a result, clients with refresh tokens issued through the deactivated identity provider would still have access to Cloud Foundry resources until their refresh token expires (which defaults to 30 days).
*Severity is 2.7 unless otherwise noted.
Users of Cloud Foundry and UAA are encouraged to follow the mitigations below.
When updating an identity providerβs setting in the UAA to become inactive (set βactiveβ to βfalseβ), if you expect all tokens to be revoked, you should revoke them manually by calling one of the endpoints for revoking tokens.
At this time this notice is provided for your information only. Users are encouraged to apply the mitigation to their UAA identity provider management process.
This issue was responsibly reported by Florian Tack (SAP)
2023-03-20: Initial vulnerability report published.