Authorization bypass in Cloud Foundry UAA - CVE-2018-15754
Published: December 10, 2018 / Updated: December 18, 2018
Vulnerability identifier: #VU16595
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-15754
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cloud Foundry Foundation
Affected software:
Cloud Foundry UAA
Cloud Foundry UAA
Detailed vulnerability description
The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.
The vulnerability exists due to an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated with access to one of these accounts can bypass authorization to obtain a token for an account of the same username in the other identity provider.
How to mitigate CVE-2018-15754
Update to version 66.0.