CVE-2018-15754 Information

Description

Cloud Foundry UAA versions 60 prior to 66.0 contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username a remote authenticated user with access to one of these accounts may be able to obtain a token for an account of the same username in the other identity provider.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

http://www.securityfocus.com/bid/106240 https://www.cloudfoundry.org/blog/cve-2018-15754 https://www.cloudfoundry.org/blog/cve-2018-15754/

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8