CVE-2016-0781 UAA Persistent XSS Vulnerability


Severity

Low

Vendor

Cloud Foundry Foundation, Pivotal Cloud Foundry

Versions Affected
  • Cloud Foundry v208 through v231
  • Login-server v1.6 - v1.14
  • UAA v2.0.0 - v2.7.4.1 & v3.0.0 - v3.2.0
  • UAA-Release v2 - v7
  • Pivotal Elastic Runtime 1.6.x versions prior to 1.6.20
Description

The UAA OAuth approval pages are vulnerable to an XSS attack by specifying malicious java script content in either the OAuth scopes (SCIM groups) or SCIM group descriptions.

Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

  • Upgrade to Cloud Foundry v233 [1] or later (cf-release v232 is not recommended for use)
  • For standalone UAA users
    • For users using UAA Version 3.0.0, please upgrade to UAA Release to v3.2.1 [3] or later
    • For users using standalone UAA Version 2.X.X, please upgrade to UAA Release to v2.7.4.2 [2] or v3.2.1 [3]
    • For users using standalone login-server 1.X, please upgrade to UAA Release to v2.7.4.2 [2] or v3.2.1 [3]
    • For users using UAA-Release (UAA bosh release), please upgrade to UAA-Release v8 [4]

Pivotal Cloud Foundry users of affected versions are encouraged to follow the mitigation below:

  • Upgrade Pivotal Elastic Runtime 1.6.x versions to 1.6.20

Credit

GE Digital Security Team

References
History

2016-Mar-23: Initial vulnerability report published