CVE-2018-11082 — Improper Restriction of Excessive Authentication Attempts in Foundry UAA

CWE-307 — Improper Restriction of Excessive Authentication Attempts3 documents3 sources

Severity

9.8CRITICALNVD

CNA6.6

EPSS

0.3%

top 47.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cloud Foundry UAA Cloud Foundry UAA Release Pivotal Software Cloudfoundry UAA +1 more

Timeline

PublishedOct 5

Latest updateMay 13

Description

Cloud Foundry UAA, all versions prior to 4.20.0 and Cloud Foundry UAA Release, all versions prior to 61.0, allows brute forcing of MFA codes. A remote unauthenticated malicious user in possession of a valid username and password can brute force MFA to login as the targeted user.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5cloud_foundry/uaa_releaseall versions — 61.0

▶NVDpivotal_software/cloudfoundry_uaa_release< 61.0

▶CVEListV5cloud_foundry/uaaall versions — 4.20.0

▶NVDpivotal_software/cloudfoundry_uaa< 4.20.0

🔴Vulnerability Details

GHSA

GHSA-2rm2-vwh2-fp52: Cloud Foundry UAA, all versions prior to 4↗2022-05-13

▶

CVEList

Cloud Foundry UAA MFA does not prevent brute force of MFA code↗2018-10-05

▶