Cloud Foundry Logo
blog single gear
Blog
Security Advisory

CVE-2018-15754: UAA issues tokens across identity providers if users with matching usernames exist

by: December 10, 2018

CVE-2018-15754: UAA issues tokens across identity providers if users with matching usernames exist

Severity

Medium

Vendor

Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

  • UAA release:
    • versions v60 prior to v66.0

Description

Cloud Foundry UAA, versions v60 prior to v66.0, contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated user with access to one of these accounts may be able to obtain a token for an account of the same username in the other identity provider.

Mitigation

Users of affected versions should apply the following mitigations or upgrades:

    • UAA release v66.0

Credit

This issue was responsibly reported by the Florian Tack and Torsten Luh of SAP.

History

2018-12-10: Initial vulnerability report published.

2018-02-28: Corrected credit section

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES

You Might Also Like

USN-6360-1: FLAC vulnerability
Security Advisory

USN-6360-1: FLAC vulnerability

by Cloud Foundry Foundation Security Team October 5, 2023
USN-4126-1: FreeType vulnerability
Security Advisory

USN-4126-1: FreeType vulnerability

by Cloud Foundry Foundation Security Team September 30, 2019
USN-5502-1: OpenSSL vulnerability
Security Advisory

USN-5502-1: OpenSSL vulnerability

by Cloud Foundry Foundation Security Team August 26, 2022
This website uses cookies to offer you a better browsing experience. Find out more about how we use cookies and how you can change your settings. Accept