CF UAA versions prior to 74.1.0 can request scopes for a client that shouldn’t be allowed by submitting an array of requested scopes. A remote malicious user can escalate their own privileges to any scope, allowing them to take control of UAA and the resources it controls.
CPE | Name | Operator | Version |
---|---|---|---|
uaa_release | lt | 74.1.0 |