CVE-2018-15754 - Cloud Foundry UAA, versions 60 prior to 66.0, contain an authorization logic error. In environments

CVE-2018-15754

Summary

Cloud Foundry UAA, versions 60 prior to 66.0, contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated user with access to one of these accounts may be able to obtain a token for an account of the same username in the other identity provider.

References

Vulnerable Configurations

cpe:2.3:a:pivotal_software:cloud_foundry_uaa-release:60.2:*:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:cloud_foundry_uaa-release:60.2:*:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:cloud_foundry_uaa-release:61.0:*:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:cloud_foundry_uaa-release:61.0:*:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:cloud_foundry_uaa-release:62.0:*:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:cloud_foundry_uaa-release:62.0:*:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:cloud_foundry_uaa-release:63.0:*:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:cloud_foundry_uaa-release:63.0:*:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:cloud_foundry_uaa-release:64.0:*:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:cloud_foundry_uaa-release:64.0:*:*:*:*:*:*:*

CVSS

Base:	4.0 (as of 09-10-2019 - 23:35)
Impact:
Exploitability:

CWE

CWE-863

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	SINGLE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

cvss-vector via4

AV:N/AC:L/Au:S/C:P/I:N/A:N

refmap via4

bid	106240
confirm	https://www.cloudfoundry.org/blog/cve-2018-15754 https://www.cloudfoundry.org/blog/cve-2018-15754/

Last major update

09-10-2019 - 23:35

Published

13-12-2018 - 22:29

Last modified

09-10-2019 - 23:35