Cloud Foundry Uaa Release
CVE-2018-15754
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Cloud Foundry UAA, versions 60 prior to 66.0, contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated user with access to one of these accounts may be able to obtain a token for an account of the same username in the other identity provider.
AnalysisAI
Cloud Foundry UAA, versions 60 prior to 66.0, contain an authorization logic error. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Incorrect Authorization (CWE-863), which allows attackers to bypass authorization checks to access restricted resources. Cloud Foundry UAA, versions 60 prior to 66.0, contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated user with access to one of these accounts may be able to obtain a token for an account of the same username in the other identity provider. Affected products include: Pivotal Software Cloud Foundry Uaa-Release. Version information: prior to 66.0.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Review and test authorization logic, implement consistent access control checks, use centralized authorization framework.
More in Cloud Foundry Uaa Release
View allCloud Foundry UAA, versions prior to 73.0.0, falls back to appending “unknown.org” to a user's email address when one is
In Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions
An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone rel
Cloud Foundry Foundation UAA, versions 4.12.X and 4.13.X, introduced a feature which could allow privilege escalation ac
Cloud Foundry UAA, versions later than 4.6.0 and prior to 4.19.0 except 4.10.1 and 4.7.5 and uaa-release versions later
Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 1
Cloud Foundry UAA version prior to 73.3.0, contain endpoints that contains improper escaping. Rated medium severity (CVS
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today