Main Vulnerability Database SB2018020132

SB2018020132 - Information disclosure in Cloud Foundry UAA

Published: February 1, 2018 Updated: July 17, 2020

Security Bulletin ID SB2018020132

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Information disclosure (CVE-ID: CVE-2018-1192)

The vulnerability allows a remote authenticated user to execute arbitrary code.

In Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3, the SessionID is logged in audit event logs. An attacker can use the SessionID to impersonate a logged-in user.

Remediation

Install update from vendor's website.

References

https://www.cloudfoundry.org/blog/cve-2018-1192/