CVE-2020-5402 HIGH

CVE-2020-5402: UAA fails to check the state parameter when authenticating with external IDPs

Vendor Cloud Foundry

Product UAA

Weakness CWE-352 · CSRF

Published February 27, 2020

Last update September 16, 2024

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

In Cloud Foundry UAA, versions prior to 74.14.0, a CSRF vulnerability exists due to the OAuth2 state parameter not being checked in the callback function when authenticating with external identity providers.

Key dates

02Disclosure timeline

February 27, 2020 CVE published

September 16, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2020-5402 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/352.html

Related vulnerabilities

04Related CVE

CVE-2025-11954 CSRF in Sitemio's WISECP CVE-2026-40581 ChurchCRM: Cross-Site Request Forgery (CSRF) in SelectDelete.php Leading to Permanent Data Deletion CVE-2026-29084 Gokapi: CSRF in Login Endpoint CVE-2026-34228 Emlog: CSRF in Backend Upgrade Interface Leading to Arbitrary Remote SQL Execution and Arbitrary File Write CVE-2022-43491 WordPress Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.5 - Cross-Site Request Forgery (CSRF) vulnerability