CVE-2019-3794: UAA – Login app subject to clickjacking attack
Severity
Medium
Vendor
Cloud Foundry Foundation
Affected Cloud Foundry Products and Versions
- Severity is medium unless otherwise noted.
- UAA Release (OSS) is vulnerable prior to v73.4.0
Description
Cloud Foundry UAA, versions prior to v73.4.0, does not set an X-FRAME-OPTIONS header on various endpoints. A remote user can perform clickjacking attacks on UAA’s frontend sites.
Mitigation
Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:
- UAA Release (OSS)
- Upgrade All versions to v73.4.0 or greater
History
2019-07-09: Initial vulnerability report published.