Main Vulnerability Database Vulnerabilities #VU16595

#VU16595 Authorization bypass in Cloud Foundry UAA - CVE-2018-15754

Published: December 10, 2018 / Updated: December 18, 2018

Vulnerability identifier: #VU16595

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-15754

CWE-ID: CWE-285

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Cloud Foundry UAA

Software vendor:
Cloud Foundry Foundation

Description

The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.

The vulnerability exists due to an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated with access to one of these accounts can bypass authorization to obtain a token for an account of the same username in the other identity provider.

Remediation

Update to version 66.0.

External links

https://www.cloudfoundry.org/blog/cve-2018-15754/

#VU16595 Authorization bypass in Cloud Foundry UAA - CVE-2018-15754

Description

Remediation

External links

Please verify you're human