Cloud FoundryCFOUNDRY:F78629FBDB432F15DDBCFC2497136FF5CVE-2018-11082: UAA MFA doesn't prevent brute force of MFA code | Cloud Foundry
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
56.9%
Severity
medium
Vendor
Cloud Foundry Foundation
Affected Cloud Foundry Products and Versions
- You are using uaa-release versions prior to 61.0
- You are using uaa versions prior to 4.20.0
Description
UAA, versions prior to 4.20.0, allows brute forcing of MFA codes. A remote unauthenticated malicious user in possession of a valid username and password can brute force MFA to login as the targeted user.
Mitigation
Users of affected versions should apply the following mitigations or upgrades:
- Releases that have fixed this issue include:
- uaa-release versions 61.0
- uaa version 4.20.0
Credit
This issue was responsibly reported by the GE Digital Security team.
History
2018-10-01: Initial vulnerability report published.
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
56.9%