CVE-2016-6636 UAA Open Redirect Vulnerability for Subdomains




Cloud Foundry Foundation

Versions Affected
  • Cloud Foundry release v241 and earlier versions
  • UAA release v2.0.0 - v2.7.4.6, v3.0.0 - v3.4.2
  • UAA BOSH release v12.3 & earlier versions
  • PCF Elastic Runtime versions prior to 1.6.40 and 1.7.x versions prior to 1.7.21 and 1.8.x versions prior to 1.8.1
    • NOTE: Pivotal encourages upgrading 1.8.x versions to 1.8.2
  • PCF Ops Manager 1.7.x versions prior 1.7.13 and 1.8.x versions prior to 1.8.1

Subdomains in the redirect_uri are not properly validated during OAuth authorization flow, making it possible to obtain implicit access tokens using a different subdomain in the request. Clients with the implicit authorization grant type are affected.


OSS users are strongly encouraged to follow one of the mitigations below:

  • Upgrade to Cloud Foundry v242 [1] or later
  • For standalone UAA users:
    • For users using UAA Version 3.0.0 - 3.4.2, please upgrade to UAA Release to v3.7.0[2], v3.4.4[3] or v3.3.0.5[4]
    • For users using standalone UAA Version 2.X.X, please upgrade to UAA Release to v2.7.4.7 [5]
    • For users using UAA bosh release, please upgrade to UAA-Release v16 [6] if upgrading to v3.7.0 [2] ,v12.5 [7] if upgrading to v3.4.4[3] or v11.5 [8] if upgrading to v3.3.0.5[4]

Pivotal Cloud Foundry users of affected versions are encouraged to follow the mitigations below:

  • Upgrade Pivotal Elastic Runtime 1.6.40 OR 1.7.x versions to 1.7.21 AND 1.8.x versions to 1.8.2
  • Upgrade Pivotal Ops Manager 1.7.x versions to 1.7.13 AND 1.8.x versions to 1.8.1


GE Digital Security Team


2016-09-26: Initial vulnerability report published