PT-2018-10912 · Cloud Foundry Foundation · Uaa+3

Published

2018-02-01

·

Updated

2022-05-14

·

CVE-2018-1192

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Cloud Foundry Foundation cf-release versions prior to v285 cf-deployment versions prior to v1.7 UAA 4.5.x versions prior to 4.5.5 UAA 4.7.x versions prior to 4.7.4 UAA 4.8.x versions prior to 4.8.3 UAA-release 45.7.x versions prior to 45.7 UAA-release 52.7.x versions prior to 52.7 UAA-release 53.3.x versions prior to 53.3
Description The issue allows an attacker to impersonate a logged-in user by using the SessionID logged in audit event logs.
Recommendations For Cloud Foundry Foundation cf-release versions prior to v285, update to version v285 or later. For cf-deployment versions prior to v1.7, update to version v1.7 or later. For UAA 4.5.x versions prior to 4.5.5, update to version 4.5.5 or later. For UAA 4.7.x versions prior to 4.7.4, update to version 4.7.4 or later. For UAA 4.8.x versions prior to 4.8.3, update to version 4.8.3 or later. For UAA-release 45.7.x versions prior to 45.7, update to version 45.7 or later. For UAA-release 52.7.x versions prior to 52.7, update to version 52.7 or later. For UAA-release 53.3.x versions prior to 53.3, update to version 53.3 or later.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2018-1192
GHSA-XG5V-696H-C3VR

Affected Products

Uaa
Uaa-Release
Cf-Deployment
Cf-Release