Severity
LOW
Vendor
CloudFoundry Foundation
Versions Affected
UAA Release v77.10.0 or below
Description
Expected behavior: When UAA is configured to proxy to an external OIDC or SAML provider, and when UAA is configured (using the UAA group mapping feature) to convert the external provider user groups into the corresponding internal UAA user groups. After an initial user login triggered an initial group conversion, if then an admin removes a user from a group in the external provider, upon the user’s subsequent logins with UAA, UAA should remove the user from the corresponding UAA internal groups as well.
Actual behavior (in UAA Release v77.10.0 or below): UAA might not perform this group removal correctly, and as a result, the user might retain outdated access in UAA that they should not have.
Mitigation
Upgrade to UAA Release v77.11.0 or above to prevent this issue with future users.
If you suspect that your existing users have retained outdated access due to this issue, we recommend that you remove the UAA shadow user (UAA’s local cache of the external provider user) via UAA’s user delete endpoint, so that the UAA shadow user and its groups can be repopulated later.
Credit
@Rohit04061992 for reporting
@strehle for fixing
History
07/18/2024: Initial vulnerability report published.
