Lucene search

K
cve[email protected]CVE-2021-22001
HistoryJul 22, 2021 - 2:15 p.m.

CVE-2021-22001

2021-07-2214:15:07
CWE-200
web.nvd.nist.gov
161
cve-2021-22001
uaa
identity provider
sensitive information
oauth 1.0
nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.3 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

53.8%

In UAA versions prior to 75.3.0, sensitive information like relaying secret of the provider was revealed in response when deletion request of an identity provider( IdP) of type “oauth 1.0” was sent to UAA server.

Affected configurations

NVD
Node
cloudfoundrycf-deploymentRange<16.18.0
OR
cloudfoundryuser_account_and_authenticationRange<75.3.0

CNA Affected

[
  {
    "product": "Cloud Foundry UAA server",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Cloud Foundry UAA server prior to version 75.3.0"
      }
    ]
  }
]

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.3 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

53.8%

Related for CVE-2021-22001