CVE-2018-1192 — Sensitive Information Exposure in Software Cloud Foundry Cf-deployment

CWE-200 — Sensitive Information Exposure5 documents5 sources

Severity

8.8HIGHNVD

EPSS

0.5%

top 35.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pivotal Software Cloud Foundry Cf-deployment Pivotal Software Cloud Foundry Cf-release Pivotal Software Cloud Foundry UAA +1 more

Timeline

PublishedFeb 1

Latest updateMay 14

Description

In Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3, the SessionID is logged in audit event logs. An attacker can use the SessionID to impersonate a logged-in user.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶NVDpivotal_software/cloud_foundry_cf-release< 285

▶NVDpivotal_software/cloud_foundry_uaa-release45.7, 52.7, 53.3+2

▶NVDpivotal_software/cloud_foundry_cf-deployment< 1.7

▶NVDpivotal_software/cloud_foundry_uaa4.5.0 — 4.5.5+2

🔴Vulnerability Details

OSV

Cloud Foundry UAA SessionID present in Audit Event Logs↗2022-05-14

▶

GHSA

Cloud Foundry UAA SessionID present in Audit Event Logs↗2022-05-14

▶

CVEList

CVE-2018-1192: In Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1↗2018-02-01

▶

💬Community

Bugzilla

CVE-2018-14434 ImageMagick: memory leak for a colormap in WriteMPCImage in coders/mpc.c↗2018-07-30

▶