Main Vulnerability Database SB2018121818

SB2018121818 - Authorization bypass in Cloud Foundry UAA

Published: December 18, 2018

Security Bulletin ID SB2018121818

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Authorization bypass (CVE-ID: CVE-2018-15754)

The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.

The vulnerability exists due to an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated with access to one of these accounts can bypass authorization to obtain a token for an account of the same username in the other identity provider.

Remediation

Install update from vendor's website.

References

https://www.cloudfoundry.org/blog/cve-2018-15754/