org.cloudfoundry.identity:cloudfoundry-identity-api (>=4.6.0 <=4.7.4), org.cloudfoundry.identity:cloudfoundry-identity-app (>=4.6.0 <=4.7.4) +1 more potentially affected by CVE-2018-11047 via org.cloudfoundry.identity:cloudfoundry-identity-server (>=4.6.0 <=4.7.4)

org.cloudfoundry.identity:cloudfoundry-identity-server MAVEN version =4.6.0, =4.6.0, =4.6.0, =4.6.0, =4.7.4 Source cves: CVE-2018-11047 Source advisory: OSV:GHSA-R4V8-9HGX-VM6M...

org.cloudfoundry.identity:cloudfoundry-identity-api (>=3.0.0 <=4.11.0), org.cloudfoundry.identity:cloudfoundry-identity-app (>=3.0.0 <=4.11.0) +1 more potentially affected by CVE-2018-11047 via org.cloudfoundry.identity:cloudfoundry-identity-server (>=3.0.0 <=4.5.0)

org.cloudfoundry.identity:cloudfoundry-identity-server MAVEN version =3.0.0, =3.0.0, =3.0.0, =3.0.0, =4.30.0 Source cves: CVE-2018-11047 Source advisory: OSV:GHSA-R4V8-9HGX-VM6M...

CVE-2018-11047

Cloud Foundry UAA, versions 4.19 prior to 4.19.2 and 4.12 prior to 4.12.4 and 4.10 prior to 4.10.2 and 4.7 prior to 4.7.6 and 4.5 prior to 4.5.7, incorrectly authorizes requests to admin endpoints by accepting a valid refresh token in lieu of an access token. Refresh tokens by design have a longe...