Authorization Logic Error in Cloud Foundry UAA Allows Token Hijacking Across Identity Providers

Authorization Logic Error in Cloud Foundry UAA Allows Token Hijacking Across Identity Providers

CVE-2018-15754 · MEDIUM Severity

AV:N/AC:L/AU:S/C:P/I:N/A:N

Cloud Foundry UAA, versions 60 prior to 66.0, contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated user with access to one of these accounts may be able to obtain a token for an account of the same username in the other identity provider.

Learn more about our User Device Pen Test.