Description

Cloud Foundry Foundation UAA, versions 4.12.X and 4.13.X, introduced a feature which could allow privilege escalation across identity zones for clients performing offline validation. A zone administrator could configure their zone to issue tokens which impersonate another zone, granting up to admin privileges in the impersonated zone for clients performing offline token validation.

Remediation

References

https://www.cloudfoundry.org/blog/cve-2018-1262/

Related Vulnerabilities

CVE-2019-10356 Vulnerability in maven package org.jenkins-ci.plugins:script-security

CVE-2022-47042 Vulnerability in maven package net.mingsoft:ms-mcms

CVE-2020-27223 Vulnerability in maven package org.eclipse.jetty:jetty-server

CVE-2017-2666 Vulnerability in maven package io.undertow:undertow-core

CVE-2022-23496 Vulnerability in maven package nl.basjes.parse.useragent:yauaa-elastic-udfs-parent

Severity

High

Classification

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory NVD-CWE-noinfo