CVE-2018-15754

high

Description

Cloud Foundry UAA, versions 60 prior to 66.0, contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated user with access to one of these accounts may be able to obtain a token for an account of the same username in the other identity provider.

References

https://www.cloudfoundry.org/blog/cve-2018-15754/

https://www.cloudfoundry.org/blog/cve-2018-15754

http://www.securityfocus.com/bid/106240

Details

Source: Mitre, NVD

Published: 2018-12-13

Updated: 2019-10-09

Risk Information

CVSS v2

Base Score: 4

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High