CVE-2018-1262 — Improper Privilege Management in Foundry Cloudfoundry UAA

4 documents4 sources

Severity

7.2HIGHNVD

EPSS

0.4%

top 39.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cloudfoundry Cf-deployment Cloud Foundry Cloudfoundry UAA Pivotal Software Cloud Foundry UAA +1 more

Timeline

PublishedMay 15

Latest updateMay 13

Description

Cloud Foundry Foundation UAA, versions 4.12.X and 4.13.X, introduced a feature which could allow privilege escalation across identity zones for clients performing offline validation. A zone administrator could configure their zone to issue tokens which impersonate another zone, granting up to admin privileges in the impersonated zone for clients performing offline token validation.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages4 packages

▶NVDcloudfoundry/cf-deployment1.27.0 — 1.31.0

▶CVEListV5cloud_foundry/cloudfoundry_uaa4.12.X and 4.13.X

▶NVDpivotal_software/cloud_foundry_uaa8 versions+7

▶NVDpivotal_software/cloud_foundry_uaa-release57, 57.1, 58+2

🔴Vulnerability Details

GHSA

UAA privilege escalation across identity zones↗2022-05-13

▶

OSV

UAA privilege escalation across identity zones↗2022-05-13

▶

CVEList

CVE-2018-1262: Cloud Foundry Foundation UAA, versions 4↗2018-05-15

▶