CVE-2017-2773 Unauthenticated JWT signing algorithm in multiple components
Severity
High
Vendor
Pivotal
Description
Incomplete validation logic in JSON Web Token (JWT) libraries can allow unprivileged attackers to impersonate other users in multiple components included in PCF Elastic Runtime.
Affected VMware Products and Versions
Severity is high unless otherwise noted.
- PCF Elastic Runtime:
- 1.6.x versions prior to 1.6.60
- 1.7.x versions prior to 1.7.41
- 1.8.x versions prior to 1.8.23
- 1.9.x versions prior to 1.9.1
- Note: PCF Elastic Runtime 1.10.x versions are not vulnerable to this issue.
Mitigation
Users of affected versions should apply the following mitigation:
- Releases that have fixed this issue include:
- PCF Elastic Runtime: 1.6.60, 1.7.41, 1.8.23, 1.9.1
References
History
2017-03-27: Initial vulnerability report published