8.8

CVE-2018-15754

UAA can issue tokens across identity providers if users with matching usernames exist

Cloud Foundry UAA, versions 60 prior to 66.0, contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated user with access to one of these accounts may be able to obtain a token for an account of the same username in the other identity provider.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Pivotal SoftwareCloud Foundry Uaa-release Version >= 60.0 < 66.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.78% 0.754
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 4 8 2.9
AV:N/AC:L/Au:S/C:P/I:N/A:N
security_alert@emc.com 4.2 1.6 2.5
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

http://www.securityfocus.com/bid/106240
Third Party Advisory
VDB Entry
https://www.cloudfoundry.org/blog/cve-2018-15754
Vendor Advisory
Mitigation
https://www.cloudfoundry.org/blog/cve-2018-15754/
Vendor Advisory
Mitigation