Show filters
20 Total Results
Displaying 1-10 of 20
Sort by:
Attacker Value
Unknown
UAA SQL Identity Zone Vulnerability
Disclosure Date: July 11, 2019 (last updated November 27, 2024)
Cloud Foundry UAA version prior to 73.3.0, contain endpoints that contains improper escaping. An authenticated malicious user with basic read privileges for one identity zone can extend those reading privileges to all other identity zones and obtain private information on users, clients, and groups in all other identity zones.
0
Attacker Value
Unknown
UAA defaults email address to an insecure domain
Disclosure Date: June 19, 2019 (last updated November 27, 2024)
Cloud Foundry UAA, versions prior to 73.0.0, falls back to appending “unknown.org” to a user's email address when one is not provided and the user name does not contain an @ character. This domain is held by a private company, which leads to attack vectors including password recovery emails sent to a potentially fraudulent address. This would allow the attacker to gain complete control of the user's account.
0
Attacker Value
Unknown
UAA can issue tokens across identity providers if users with matching usernames…
Disclosure Date: December 13, 2018 (last updated November 27, 2024)
Cloud Foundry UAA, versions 60 prior to 66.0, contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated user with access to one of these accounts may be able to obtain a token for an account of the same username in the other identity provider.
0
Attacker Value
Unknown
UAA Privilege Escalation
Disclosure Date: November 19, 2018 (last updated November 27, 2024)
Cloud Foundry UAA release, versions prior to v64.0, and UAA, versions prior to 4.23.0, contains a validation error which allows for privilege escalation. A remote authenticated user may modify the url and content of a consent page to gain a token with arbitrary scopes that escalates their privileges.
0
Attacker Value
Unknown
CVE-2018-11041
Disclosure Date: June 25, 2018 (last updated November 26, 2024)
Cloud Foundry UAA, versions later than 4.6.0 and prior to 4.19.0 except 4.10.1 and 4.7.5 and uaa-release versions later than v48 and prior to v60 except v55.1 and v52.9, does not validate redirect URL values on a form parameter used for internal UAA redirects on the login page, allowing open redirects. A remote attacker can craft a malicious link that, when clicked, will redirect users to arbitrary websites after a successful login attempt.
0
Attacker Value
Unknown
CVE-2018-1262
Disclosure Date: May 15, 2018 (last updated November 26, 2024)
Cloud Foundry Foundation UAA, versions 4.12.X and 4.13.X, introduced a feature which could allow privilege escalation across identity zones for clients performing offline validation. A zone administrator could configure their zone to issue tokens which impersonate another zone, granting up to admin privileges in the impersonated zone for clients performing offline token validation.
0
Attacker Value
Unknown
CVE-2018-1192
Disclosure Date: February 01, 2018 (last updated November 26, 2024)
In Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3, the SessionID is logged in audit event logs. An attacker can use the SessionID to impersonate a logged-in user.
0
Attacker Value
Unknown
CVE-2015-5171
Disclosure Date: October 24, 2017 (last updated November 26, 2024)
The password change functionality in Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire existing sessions.
0
Attacker Value
Unknown
CVE-2015-5173
Disclosure Date: October 24, 2017 (last updated November 26, 2024)
Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact via vectors involving emails with password recovery links, aka "Cross Domain Referer Leakage."
0
Attacker Value
Unknown
CVE-2015-5170
Disclosure Date: October 24, 2017 (last updated November 26, 2024)
Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow remote attackers to conduct cross-site request forgery (CSRF) attacks on PWS and log a user into an arbitrary account by leveraging lack of CSRF checks.
0