User Account And Authentication Security Vulnerabilities and Issues — User Account And Authentication CVE List

CloudfoundryUser Account And Authentication

9 matches found

CVE•added 2021/07/22 1:17 p.m.•188 views

CVE-2021-22001

CVE-2021-22001 affects Cloud Foundry UAA server prior to version 75.3.0. The issue arises when deleting an identity provider (IdP) of type oauth 1.0: the response may reveal sensitive information, including the relaying secret of the provider. The root cause is an information disclosure in the Id...

7.5CVSS7.3AI score0.00986EPSS

CVE•added 2019/12/06 8:0 p.m.•153 views

CVE-2019-11293

CVE-2019-11293 concerns Cloud Foundry UAA releases prior to v74.10.0. When set to DEBUG, the service logs client_secret credentials sent as query parameters to the uaa.log file, enabling credential disclosure. A remote authenticated attacker could gain user credentials via the log file if authent...

8.8CVSS6.8AI score0.01316EPSS

CVE•added 2019/08/09 7:22 p.m.•146 views

CVE-2019-11274

Summary: CVE-2019-11274 affects Cloud Foundry UAA prior to v74.0.0, enabling a remote, unauthenticated attacker to craft a URL containing a SCIM filter that can execute malicious JavaScript (XSS) in older browsers. The root cause is insufficient sanitization of SCIM filter handling in UAA. Impact...

6.1CVSS5.1AI score0.008EPSS

CVE•added 2019/09/26 9:11 p.m.•120 views

CVE-2019-11278

CVE-2019-11278 affects Cloud Foundry UAA before 74.1.0. A remote attacker with the privileges client.write and groups.update can craft a SCIM query by injecting external input directly into SCIM, causing a leak of information that enables privilege escalation and potential control of UAA scopes. ...

8.8CVSS9AI score0.01342EPSS

CVE•added 2019/11/25 11:56 p.m.•82 views

CVE-2019-11290

Cloud Foundry UAA before version 74.8.0 logs all query parameters to Tomcat’s access log; if those parameters carry credentials, they are logged as well, causing information disclosure. The vulnerability affects Cloud Foundry UAA and CF deployment lineages prior to upgrades cited by Cloud Foundry...

8.8CVSS7.6AI score0.01277EPSS

CVE•added 2023/03/28 12:0 a.m.•82 views

CVE-2023-20903

Summary (CVE-2023-20903) : Cloud Foundry UAA does not revoke refresh tokens when an external identity provider (IDP) is deactivated. As a result, clients issued refresh tokens on behalf of users from that IDP can continue to obtain access tokens and access Cloud Foundry resources until those toke...

4.3CVSS4.5AI score0.00404EPSS

CVE•added 2017/09/07 1:0 p.m.•61 views

CVE-2016-0732

The CVE-2016-0732 entry corresponds to a privilege-escalation vulnerability in the identity-zones feature of Cloud Foundry components. Affected products include Cloud Foundry v208–v229, UAA v2.0.0–v2.7.3 and v3.0.0, UAA-Release v2–v4, and Elastic Runtime v1.6.0–v1.6.13. The issue allows remote au...

8.8CVSS8.5AI score0.01154EPSS

CVE•added 2021/08/11 8:49 p.m.•54 views

CVE-2021-22098

CVE-2021-22098 affects Cloud Foundry UAA server. Versions prior to 75.4.0 are vulnerable to an open redirect vulnerability exploitable via social engineering, potentially leading to loss of user accounts and redirection to malicious sites. Practical impact is limited to cases described in vendor ...

6.1CVSS6.1AI score0.00712EPSS

CVE•added 2020/02/27 7:30 p.m.•50 views

CVE-2020-5402

The CVE-2020-5402 issue affects Cloud Foundry UAA (and related deployments) where versions prior to 74.14.0 allow CSRF via the OAuth2 state parameter not being validated in the external identity provider callback. The core vulnerability is a missing check in the callback flow, impacting authentic...

8.8CVSS8.6AI score0.00486EPSS