PT-2017-16230 · Cloud Foundry · Uaa+1
Published
2017-06-13
·
Updated
2019-07-30
·
CVE-2017-4963
CVSS v3.1
8.1
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Cloud Foundry versions prior to v252
UAA stand-alone versions 2.0.0 through 2.7.4.12
UAA stand-alone versions 3.0.0 through 3.11.0
UAA bosh versions prior to v26
Description
An issue was discovered in Cloud Foundry and UAA, where UAA is vulnerable to session fixation when configured to authenticate against external SAML or OpenID Connect based identity providers.
Recommendations
For Cloud Foundry versions prior to v252, update to version v252 or later.
For UAA stand-alone versions 2.0.0 through 2.7.4.12, update to a version later than 2.7.4.12.
For UAA stand-alone versions 3.0.0 through 3.11.0, update to a version later than 3.11.0.
For UAA bosh versions prior to v26, update to version v26 or later.
Fix
Session Fixation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cloud Foundry
Uaa