Cloud Foundry Logo
blog single gear
Blog
Security Advisory

CVE-2025-22216 UAA Missing Zone Validation

by: January 29, 2025

Severity

MED

Overall CVSS Score: 5.0

CVSS v3.1 Vector:  AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C

Vendor

CloudFoundry Foundation

Versions Affected

  • Affected thru UAA Releases 77.20.1, 77.24.0
  • Unaffected from UAA Release 77.20.2
  • Unaffected from UAA Release 77.25.0

Description

A UAA configured with multiple identity zones, does not properly validate session information across those zones.  A User authenticated against a corporate IDP can re-use their jsessionid to access other zones.  

Mitigation

  • Upgrade to UAA version v77.20.2 or higher
  • Or Upgrade to UAA version v77.25.0 or higher

Credit

Daniel Rosenblueh (SAP)

History

01-29-2023: Initial vulnerability report published.
01-30-2023: Added credits

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES

You Might Also Like

USN-4969-1: DHCP vulnerability
Security Advisory

USN-4969-1: DHCP vulnerability

by Cloud Foundry Foundation Security Team June 11, 2021
CVE-2018-1276: Windows2012R2 stemcell exposes IaaS metadata on vSphere
Security Advisory

CVE-2018-1276: Windows2012R2 stemcell exposes IaaS metadata on vSphere

by Cloud Foundry Foundation Security Team May 16, 2018
USN-5995-1: Vim vulnerabilities
Security Advisory

USN-5995-1: Vim vulnerabilities

by Cloud Foundry Foundation Security Team April 24, 2023
This website uses cookies to offer you a better browsing experience. Find out more about how we use cookies and how you can change your settings. Accept