CVE-2018-1195 — Insufficient Session Expiration in Capi-release

CWE-613 — Insufficient Session Expiration36 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.3%

top 49.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cloudfoundry Capi-release Cloudfoundry Cf-deployment Cloudfoundry Cf-release +1 more

Timeline

PublishedMar 19

Latest updateMay 13

Description

In Cloud Controller versions prior to 1.46.0, cf-deployment versions prior to 1.3.0, and cf-release versions prior to 283, Cloud Controller accepts refresh tokens for authentication where access tokens are expected. This exposes a vulnerability where a refresh token that would otherwise be insufficient to obtain an access token, either due to lack of client credentials or revocation, would allow authentication.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5dell_emc/cloud_controllerYou are using Cloud Controller version prior to 1.46.0, You are using cf-deployment version prior to 1.3.0, You are using cf-release version prior to 283+2

▶NVDcloudfoundry/cf-release< 283

▶NVDcloudfoundry/capi-release< 1.46.0

▶NVDcloudfoundry/cf-deployment< 1.3.0

🔴Vulnerability Details

GHSA

GHSA-mxfj-x685-fxwf: In Cloud Controller versions prior to 1↗2022-05-13

▶

CVEList

CVE-2018-1195: In Cloud Controller versions prior to 1↗2018-03-19

▶

💬Community

Bugzilla

CVE-2018-13153 ImageMagick: memory leak in the XMagickCommand function in MagickCore/animate.c↗2018-07-05

▶

Bugzilla

CVE-2018-6103 chromium-browser: UI spoof in Permissions↗2018-04-18

▶

Bugzilla

CVE-2018-6100 chromium-browser: URL spoof in Omnibox↗2018-04-18

▶

Bugzilla

CVE-2018-6097 chromium-browser: Fullscreen UI spoof↗2018-04-18

▶

Bugzilla

CVE-2018-6092 chromium-browser: Integer overflow in WebAssembly↗2018-04-18

▶