PT-2018-11252 · Spring · Spring Cloud Sso Connector

Publicado

2018-05-07

Atualizado

2022-05-13

CVE-2018-1256

CVSS v3.1

8.1

Alta

Vetor

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Spring Cloud SSO Connector version 2.1.2

Description The issue is related to a regression in the Spring Cloud SSO Connector that disables issuer validation in resource servers not bound to the SSO service. This allows a remote attacker to authenticate to unbound resource servers using tokens generated from another service plan in PCF deployments with multiple SSO service plans.

Recommendations For Spring Cloud SSO Connector version 2.1.2, update to version 2.1.3 to resolve the issue. Alternatively, bind your resource server to the SSO service plan via a service instance binding. Alternatively, set sso.connector.cloud.available=true within your Spring application properties.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Identificadores relacionados

CVE-2018-1256

GHSA-Q4Q2-93PW-QWGF

Produtos afetados

Spring Cloud Sso Connector

PT-2018-11252 · Spring · Spring Cloud Sso Connector

CVE-2018-1256

Identificadores relacionados

Produtos afetados

Referências · 5