CVE-2018-15754 MEDIUM

CVE-2018-15754: UAA can issue tokens across identity providers if users with matching usernames exist

Vendor Cloud Foundry
Product UAA Release
Published December 13, 2018
Last update September 16, 2024

CVSS base score

4.2/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Cloud Foundry UAA, versions 60 prior to 66.0, contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated user with access to one of these accounts may be able to obtain a token for an account of the same username in the other identity provider.

Key dates

02Disclosure timeline

December 13, 2018 CVE published
September 16, 2024 Record updated