CVE-2018-15754

EPSS 0.39%
Veröffentlicht 13.12.2018 22:29:00
Zuletzt bearbeitet 21.11.2024 03:51:24
Quelle security_alert@emc.com
CVE-Watchlists
Login
Unerledigt
Login

UAA can issue tokens across identity providers if users with matching usernames exist

Cloud Foundry UAA, versions 60 prior to 66.0, contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated user with access to one of these accounts may be able to obtain a token for an account of the same username in the other identity provider.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Pivotal Software ≫ Cloud Foundry Uaa-release Version >= 60.0 < 66.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.39%	0.596

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:P/I:N/A:N
security_alert@emc.com	4.2	1.6	2.5	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

http://www.securityfocus.com/bid/106240

Third Party Advisory

VDB Entry

https://www.cloudfoundry.org/blog/cve-2018-15754

Vendor Advisory

Mitigation

https://www.cloudfoundry.org/blog/cve-2018-15754/

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2018-15754

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-15754

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-15754

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2018-15754