CVE-2018-15754 — Incorrect Authorization in Foundry UAA Release

CWE-863 — Incorrect Authorization3 documents3 sources

Severity

8.8HIGHNVD

CNA4.2

EPSS

0.4%

top 39.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cloud Foundry UAA Release Pivotal Software Cloud Foundry Uaa-release

Timeline

PublishedDec 13

Latest updateMay 13

Description

Cloud Foundry UAA, versions 60 prior to 66.0, contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated user with access to one of these accounts may be able to obtain a token for an account of the same username in the other identity provider.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5cloud_foundry/uaa_release60 — 66.0

▶NVDpivotal_software/cloud_foundry_uaa-release60.0 — 66.0

🔴Vulnerability Details

GHSA

GHSA-6c8m-9r93-f9rp: Cloud Foundry UAA, versions 60 prior to 66↗2022-05-13

▶

CVEList

UAA can issue tokens across identity providers if users with matching usernames exist↗2018-12-13

▶