Cloud Foundry Logo
blog single gear
Blog
Security Advisory

CVE-2025-22216 UAA Missing Zone Validation

by: January 29, 2025

Severity

MED

Overall CVSS Score: 5.0

CVSS v3.1 Vector:  AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C

Vendor

CloudFoundry Foundation

Versions Affected

  • Affected thru UAA Releases 77.20.1, 77.24.0  (including 77.21.0, 77.22.0, 77.23.0)
  • Unaffected from UAA Release 77.20.2
  • Unaffected from UAA Release 77.25.0

Description

A UAA configured with multiple identity zones, does not properly validate session information across those zones.  A User authenticated against a corporate IDP can re-use their jsessionid to access other zones.  

Mitigation

  • Upgrade to UAA version v77.20.2 or higher
  • Or Upgrade to UAA version v77.25.0 or higher

Credit

Daniel Rosenblueh (SAP)

History

01-29-2025: Initial vulnerability report published.
01-30-2025: Added credits
01-31-2025: Clarified versions

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES

You Might Also Like

USN-3943-1: Wget vulnerabilities
Security Advisory

USN-3943-1: Wget vulnerabilities

by Cloud Foundry Foundation Security Team April 25, 2019
USN-4582-1: Vim vulnerabilities
Security Advisory

USN-4582-1: Vim vulnerabilities

by Cloud Foundry Foundation Security Team November 19, 2020
USN-2868-1 DHCP vulnerability
Security Advisory

USN-2868-1 DHCP vulnerability

by Cloud Foundry Foundation Security Team January 19, 2016
This website uses cookies to offer you a better browsing experience. Find out more about how we use cookies and how you can change your settings. Accept