All Vulnerability Reports

CVE-2018-15754: UAA issues tokens across identity providers if users with matching usernames exist


Severity

Medium

Vendor

Cloud Foundry

Description

Cloud Foundry UAA Release, versions v60 prior to v66.0, contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated user with access to one of these accounts may be able to obtain a token for an account of the same username in the other identity provider.

Affected VMware Products and Versions

Severity is medium unless otherwise noted.

  • Pivotal Application Service
    • 2.2.x prior to 2.2.11
    • 2.3.x prior to 2.3.5
  • Pivotal Operations Manager
    • 2.3.x prior to 2.3.8
    • 2.4.x prior to 2.4.2

Mitigation

Users of affected versions should apply the following mitigation:

  • Pivotal Application Service
    • 2.2.11
    • 2.3.5
  • Pivotal Operations Manager
    • 2.3.8
    • 2.4.2

References

History

2018-12-10: Initial vulnerability report published.