CVE-2020-5402 — Cross-Site Request Forgery in Foundry UAA

CWE-352 — Cross-Site Request Forgery3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.2%

top 56.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cloud Foundry UAA Cloudfoundry Cf-deployment Cloudfoundry User Account AND Authentication

Timeline

PublishedFeb 27

Latest updateMay 24

Description

In Cloud Foundry UAA, versions prior to 74.14.0, a CSRF vulnerability exists due to the OAuth2 state parameter not being checked in the callback function when authenticating with external identity providers.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5cloud_foundry/uaaunspecified — v74.14.0

▶NVDcloudfoundry/cf-deployment< 12.33.0

▶NVDcloudfoundry/user_account_and_authentication< 74.14.0

🔴Vulnerability Details

GHSA

GHSA-5fqw-8f7q-58m9: In Cloud Foundry UAA, versions prior to 74↗2022-05-24

▶

CVEList

UAA fails to check the state parameter when authenticating with external IDPs↗2020-02-27

▶