Description

Cloud Foundry UAA, versions 4.19 prior to 4.19.2 and 4.12 prior to 4.12.4 and 4.10 prior to 4.10.2 and 4.7 prior to 4.7.6 and 4.5 prior to 4.5.7, incorrectly authorizes requests to admin endpoints by accepting a valid refresh token in lieu of an access token. Refresh tokens by design have a longer expiration time than access tokens, allowing the possessor of a refresh token to authenticate longer than expected. This affects the administrative endpoints of the UAA. i.e. /Users, /Groups, etc. However, if the user has been deleted or had groups removed, or the client was deleted, the refresh token will no longer be valid.

Remediation

References

https://www.cloudfoundry.org/blog/cve-2018-11047/

Related Vulnerabilities

CVE-2019-1003009 Vulnerability in maven package rg.jenkins-ci.plugins:active-directory

CVE-2020-2226 Vulnerability in maven package org.jenkins-ci.plugins:matrix-project

CVE-2019-10444 Vulnerability in maven package org.jenkins-ci.plugins:bumblebee

CVE-2018-17194 Vulnerability in maven package org.apache.nif:nifi-framework-cluster

CVE-2021-33036 Vulnerability in maven package org.apache.hadoop:hadoop-yarn-server-common

Severity

High

Classification

CWE-863 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Mitigation Vendor Advisory