Authorization Flaw in Cloud Foundry UAA Admin Endpoints
CVE-2018-11047

7.5HIGH

Key Information:

Vendor: Cloud Foundry
Status: Cloud Foundry Uaa
Vendor: CVE Published:; 24 July 2018

🔔 Create Cloud Foundry Vulnerability Alert

What is CVE-2018-11047?

The identified vulnerability in Cloud Foundry UAA arises from a misconfiguration that permits requests to admin endpoints, such as /Users and /Groups, to be authorized using a valid refresh token instead of the standard access token. Given that refresh tokens have extended expiration times, this could allow unauthorized access to sensitive administrative functions, especially if a user's account has not been completely removed from the system. Proper management of user statuses is critical to ensure that deleted or altered users can no longer exert control over administrative capabilities.

Affected Version(s)

Cloud Foundry UAA 4.19 < 4.19.2

Cloud Foundry UAA 4.12 < 4.12.4

Cloud Foundry UAA 4.10 < 4.10.2

References

https://www.cloudfoundry.org/blog/cve-2018-11047/

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 24, 2018
Vulnerability Reserved
May 14, 2018

CVE-2018-11047 Data

JSON