Cloud Foundry Uaa vulnerabilities

CVE-2025-22246 [HIGH] CWE-532 CVE-2025-22246: Cloud Foundry UAA release versions from v77.21.0 to v7.31.0 are vulnerable to a private key exposure Cloud Foundry UAA release versions from v77.21.0 to v7.31.0 are vulnerable to a private key exposure in logs.

CVE-2024-38806 [LOW] CWE-440 UAA Failure to Remove Shadow User’s Access UAA Failure to Remove Shadow User’s Access Failure to properly synchronize user's permissions in UAA in Cloud Foundry Foundation v40.17.0 https://github.com/cloudfoundry/cf-deployment/releases/tag/v40.17.0 , potentially resulting in users retaining access rights they should not have. This can allow them to perform operations beyond their intended permissions.

CVE-2020-5402 [HIGH] CWE-352 CVE-2020-5402: In Cloud Foundry UAA, versions prior to 74.14.0, a CSRF vulnerability exists due to the OAuth2 state In Cloud Foundry UAA, versions prior to 74.14.0, a CSRF vulnerability exists due to the OAuth2 state parameter not being checked in the callback function when authenticating with external identity providers.

CVE-2018-15761 [HIGH] CVE-2018-15761: Cloud Foundry UAA release, versions prior to v64.0, and UAA, versions prior to 4.23.0, contains a va Cloud Foundry UAA release, versions prior to v64.0, and UAA, versions prior to 4.23.0, contains a validation error which allows for privilege escalation. A remote authenticated user may modify the url and content of a consent page to gain a token with arbitrary scopes that escalates their privileges.

CVE-2018-11082 [CRITICAL] CWE-307 CVE-2018-11082: Cloud Foundry UAA, all versions prior to 4.20.0 and Cloud Foundry UAA Release, all versions prior to Cloud Foundry UAA, all versions prior to 4.20.0 and Cloud Foundry UAA Release, all versions prior to 61.0, allows brute forcing of MFA codes. A remote unauthenticated malicious user in possession of a valid username and password can brute force MFA to login as the targeted user.