Florian Tack

**Name of the Vulnerable Software and Affected Versions** Cloud Foundry UAA (affected versions not specified) **Description** The issue is related to UAA refresh tokens and external identity providers. When an external identity provider linked to the UAA is deactivated, the UAA fails to reject refresh tokens issued on behalf of users from that identity provider. As a result, clients with such refresh tokens can continue to access Cloud Foundry resources until the refresh token expires, which defaults to 30 days. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cloud Foundry UAA versions prior to 66.0 **Description** The issue concerns an authorization logic error in environments with multiple identity providers where accounts have the same username across different providers. A remote authenticated user with access to one account may be able to obtain a token for an account with the same username in another identity provider. **Recommendations** For versions prior to 66.0, update to version 66.0 or later to resolve the issue.