CVE-2018-11083

Name of the Vulnerable Software and Affected Versions Cloud Foundry BOSH versions v264 prior to v264.14.0 Cloud Foundry BOSH versions v265 prior to v265.7.0 Cloud Foundry BOSH versions v266 prior to v266.8.0 Cloud Foundry BOSH versions v267 prior to v267.2.0

Description The issue allows refresh tokens to be used as access tokens when using UAA for authentication. A remote attacker with an admin refresh token given by UAA can access BOSH resources without obtaining an access token, even if their user no longer has access to those resources.

Recommendations For Cloud Foundry BOSH version v264, update to version v264.14.0 or later. For Cloud Foundry BOSH version v265, update to version v265.7.0 or later. For Cloud Foundry BOSH version v266, update to version v266.8.0 or later. For Cloud Foundry BOSH version v267, update to version v267.2.0 or later.