Cloud Foundry UAA security vulnerabilities

Cloud Foundry UAA is an identity verification and management service terminal designed for the CloudFoundry platform by the Cloud Foundry Foundation in the United States. There is a security vulnerability in Cloud Foundry UAA, which stems from the exposure of private keys. This vulnerability may...

PT-2026-45616

Name of the Vulnerable Software and Affected Versions Cloud Foundry UAA versions v76.12.0 through v78.12.0 CF Deployment versions v30.0.0 through v56.0.0 Description Private key exposure occurs when the server inadvertently reveals Elliptic Curve EC private keys through the public '/token keys'...

CVE-2026-22723 - UAA User Token Revocation | Cloud Foundry

Severity MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:Y Vendor CloudFoundry Foundation Versions Affected UAA Release: v77.30.0 to v78.7.0 CF Deployment: v48.7.0 to v54.10.0 Description Cloud Foundry UAA release versions fro...

EUVD-2017-14087

Malware in sbrugna...

EUVD-2022-4331

Malicious code in bioql PyPI...

EUVD-2022-3645

Malicious code in bioql PyPI...

EUVD-2022-3576

Malicious code in bioql PyPI...

CVE-2025-22246 - UAA Private Key Exposure | Cloud Foundry

Severity LOW Vendor CloudFoundry Foundation Versions Affected UAA Release: v77.21.0 to v77.31.0 CF Deployment: v45.1.0 to v48.11.0 Description Cloud Foundry UAA release versions from v77.21.0 to v7.31.0 are vulnerable to a private key exposure in logs. Affected Cloud Foundry Products and Versions...

CVE-2024-38806 - UAA Failure to Remove Shadow User's Access | Cloud Foundry

Severity LOW Vendor CloudFoundry Foundation Versions Affected UAA Release v77.10.0 or below Description Expected behavior: When UAA is configured to proxy to an external OIDC or SAML provider, and when UAA is configured using the UAA group mapping feature to convert the external provider user...

Cloud Foundry UAA open redirect

Cloud Foundry UAA, versions later than 4.6.0 and prior to 4.19.0 except 4.10.1 and 4.7.5 and uaa-release versions later than v48 and prior to v60 except v55.1 and v52.9, does not validate redirect URL values on a form parameter used for internal UAA redirects on the login page, allowing open...

GHSA-XH4M-99QP-W483 Cloud Foundry UAA open redirect

Cloud Foundry UAA, versions later than 4.6.0 and prior to 4.19.0 except 4.10.1 and 4.7.5 and uaa-release versions later than v48 and prior to v60 except v55.1 and v52.9, does not validate redirect URL values on a form parameter used for internal UAA redirects on the login page, allowing open...

Cloud Foundry UAA password reset vulnerability

An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v260; UAA release 2.x versions prior to v2.7.4.16, 3.6.x versions prior to v3.6.10, 3.9.x versions prior to v3.9.12, and other versions prior to v3.17.0; and UAA bosh release uaa-release 13.x versions prior to v13.14...

CVE-2019-11293

Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs clientsecret credentials when sent as a query parameter. A remote authenticated malicious user could gain access to user credentials via the uaa.log file if authentication is provided via query parameters...

CVE-2019-11293

Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs clientsecret credentials when sent as a query parameter. A remote authenticated malicious user could gain access to user credentials via the uaa.log file if authentication is provided via query parameters...

Authentication flaw

Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs clientsecret credentials when sent as a query parameter. A remote authenticated malicious user could gain access to user credentials via the uaa.log file if authentication is provided via query parameters...

CVE-2019-11293

CVE-2019-11293 concerns Cloud Foundry UAA releases prior to v74.10.0. When set to DEBUG, the service logs client_secret credentials sent as query parameters to the uaa.log file, enabling credential disclosure. A remote authenticated attacker could gain user credentials via the log file if authent...

CVE-2019-11290

Cloud Foundry UAA Release, versions prior to v74.8.0, logs all query parameters to tomcat’s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well...

Cloud Foundry UAA Release Information Disclosure Vulnerability

UAA Release and UAA are both certification and managed service endpoints for different versions of Cloud Foundry. An information disclosure vulnerability exists in Cloud Foundry UAA Release prior to 74.8.0. The vulnerability stems from the UAA Release logging all query parameters to the tomcat...

CVE-2019-11290

Cloud Foundry UAA before version 74.8.0 logs all query parameters to Tomcat’s access log; if those parameters carry credentials, they are logged as well, causing information disclosure. The vulnerability affects Cloud Foundry UAA and CF deployment lineages prior to upgrades cited by Cloud Foundry...

CVE-2015-9251: UAA contains vulnerable jQuery version | Cloud Foundry

Medium Vendor The OpenJS Foundation Affected Cloud Foundry Products and Versions Severity is medium unless otherwise noted. UAA Release OSS is vulnerable prior to v73.3.0 Description Cloud Foundry UAA versions prior to 73.3.0, contains a vulnerable version of jQuery. A remote attacker can perform...