PT-2018-11252 · Spring · Spring Cloud Sso Connector

Published

2018-05-07

Updated

2022-05-13

CVE-2018-1256

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Spring Cloud SSO Connector version 2.1.2

Description The issue is related to a regression in the Spring Cloud SSO Connector that disables issuer validation in resource servers not bound to the SSO service. This allows a remote attacker to authenticate to unbound resource servers using tokens generated from another service plan in PCF deployments with multiple SSO service plans.

Recommendations For Spring Cloud SSO Connector version 2.1.2, update to version 2.1.3 to resolve the issue. Alternatively, bind your resource server to the SSO service plan via a service instance binding. Alternatively, set sso.connector.cloud.available=true within your Spring application properties.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2018-1256

GHSA-Q4Q2-93PW-QWGF

Affected Products

Spring Cloud Sso Connector

PT-2018-11252 · Spring · Spring Cloud Sso Connector

CVE-2018-1256

Related Identifiers

Affected Products

References · 5