CVE-2018-1190

Name of the Vulnerable Software and Affected Versions Pivotal Cloud Foundry versions prior to cf-release v270 UAA versions prior to v3.20.2 UAA bosh versions prior to v30.8 UAA bosh versions prior to v45.0

Description A cross-site scripting (XSS) attack is possible in the clientId parameter of a request to the UAA OpenID Connect check session iframe endpoint used for single logout session management.

Recommendations For versions prior to cf-release v270, update to cf-release v270 or later. For UAA versions prior to v3.20.2, update to UAA v3.20.2 or later. For UAA bosh versions prior to v30.8, update to UAA bosh v30.8 or later. For UAA bosh versions prior to v45.0, update to UAA bosh v45.0 or later. As a temporary workaround, consider restricting access to the UAA OpenID Connect check session iframe endpoint to minimize the risk of exploitation. Avoid using the clientId parameter in the affected endpoint until the issue is resolved.