CF UAA versions prior to 74.1.0 can request scopes for a client that shouldn’t be allowed by submitting an array of requested scopes. A remote malicious user can escalate their own privileges to any scope, allowing them to take control of UAA and the resources it controls.
CPE | Name | Operator | Version |
---|---|---|---|
uaa-release | eq | 56 | |
uaa-release | eq | 67.0 | |
uaa-release | eq | 10 | |
uaa-release | eq | 68.0 | |
uaa-release | eq | 43 | |
uaa-release | eq | 61.0 | |
uaa-release | eq | 11.1 | |
uaa-release | eq | 13 | |
uaa-release | eq | 2 | |
uaa-release | eq | 30.1 |