PT-2017-18079 · Cloud Foundry · Uaa+2
Published
2017-07-17
·
Updated
2019-10-03
·
CVE-2017-8034
CVSS v3.1
6.6
Medium
| Vector | AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Cloud Foundry CAPI-release versions prior to v1.32.0
Cloud Foundry Routing-release versions prior to v0.159.0
Cloud Foundry CF-release versions prior to v267
Description
The issue concerns the Cloud Controller and Router in Cloud Foundry, which fail to validate the issuer on JSON Web Tokens (JWTs) from UAA. This can lead to privilege escalation by zone administrators in certain multi-zone UAA configurations.
Recommendations
For Cloud Foundry CAPI-release versions prior to v1.32.0, update to version v1.32.0 or later.
For Cloud Foundry Routing-release versions prior to v0.159.0, update to version v0.159.0 or later.
For Cloud Foundry CF-release versions prior to v267, update to version v267 or later.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cloud Foundry Capi Release
Cloud Foundry Routing Release
Uaa