Vulnerability Description
Cloud Foundry UAA, versions 60 prior to 66.0, contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated user with access to one of these accounts may be able to obtain a token for an account of the same username in the other identity provider.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pivotal Software | Cloud Foundry Uaa-Release | >= 60.0, < 66.0 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/106240Third Party AdvisoryVDB Entry
- https://www.cloudfoundry.org/blog/cve-2018-15754MitigationVendor Advisory
- https://www.cloudfoundry.org/blog/cve-2018-15754/MitigationVendor Advisory
- http://www.securityfocus.com/bid/106240Third Party AdvisoryVDB Entry
- https://www.cloudfoundry.org/blog/cve-2018-15754MitigationVendor Advisory
- https://www.cloudfoundry.org/blog/cve-2018-15754/MitigationVendor Advisory
FAQ
What is CVE-2018-15754?
CVE-2018-15754 is a vulnerability with a CVSS score of 4.2 (MEDIUM). Cloud Foundry UAA, versions 60 prior to 66.0, contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same usern...
How severe is CVE-2018-15754?
CVE-2018-15754 has been rated MEDIUM with a CVSS base score of 4.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-15754?
Check the references section above for vendor advisories and patch information. Affected products include: Pivotal Software Cloud Foundry Uaa-Release.