cbcvebase.

Cloud Foundry Uaa vulnerabilities

5 known vulnerabilities affecting cloud_foundry/uaa.

Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH3

Vulnerabilities

Page 1 of 1
CVE-2018-15761P3HIGHCVSS 8.8≥ all versions, < 4.23.02018-11-19
CVE-2018-15761 [HIGH] CVE-2018-15761: Cloud Foundry UAA release, versions prior to v64.0, and UAA, versions prior to 4.23.0, contains a va Cloud Foundry UAA release, versions prior to v64.0, and UAA, versions prior to 4.23.0, contains a validation error which allows for privilege escalation. A remote authenticated user may modify the url and content of a consent page to gain a token with arbitrary scopes that escalates their privileges.
nvd
CVE-2018-11082P3CRITICALCVSS 9.8≥ all versions, < 4.20.02018-10-05
CVE-2018-11082 [CRITICAL] CWE-307 CVE-2018-11082: Cloud Foundry UAA, all versions prior to 4.20.0 and Cloud Foundry UAA Release, all versions prior to Cloud Foundry UAA, all versions prior to 4.20.0 and Cloud Foundry UAA Release, all versions prior to 61.0, allows brute forcing of MFA codes. A remote unauthenticated malicious user in possession of a valid username and password can brute force MFA to login as the targeted user.
nvd
CVE-2026-41005P3CRITICALCVSS 9.0≥ 2.0.0, < 78.14.02026-06-11
CVE-2026-41005 [CRITICAL] CWE-347 CVE-2026-41005: Cloud Foundry UAA incorrectly treated XML encryption to the Service Provider (confidentiality) as a Cloud Foundry UAA incorrectly treated XML encryption to the Service Provider (confidentiality) as a substitute for XML signatures from the Identity Provider (authenticity) in two SAML flows: the OAuth 2.0 SAML2 bearer grant (token endpoint) and browser SSO (ACS) when wantAssertionSigned is set to false. Assertions or responses that were unsigned bu
nvd
CVE-2025-22246P3HIGHCVSS 7.5≥ v77.21.0, < v77.32.02025-05-13
CVE-2025-22246 [HIGH] CWE-532 CVE-2025-22246: Cloud Foundry UAA release versions from v77.21.0 to v7.31.0 are vulnerable to a private key exposure Cloud Foundry UAA release versions from v77.21.0 to v7.31.0 are vulnerable to a private key exposure in logs.
nvd
CVE-2020-5402P3HIGHCVSS 8.8≥ unspecified, < v74.14.02020-02-27
CVE-2020-5402 [HIGH] CWE-352 CVE-2020-5402: In Cloud Foundry UAA, versions prior to 74.14.0, a CSRF vulnerability exists due to the OAuth2 state In Cloud Foundry UAA, versions prior to 74.14.0, a CSRF vulnerability exists due to the OAuth2 state parameter not being checked in the callback function when authenticating with external identity providers.
nvd
Cloud Foundry Uaa vulnerabilities | cvebase