Base Score

HIGH8.1

CVE-2018-1256

Spring Cloud SSO Connector, version 2.1.2, contains a regression which disables issuer validation in resource servers that are not bound to the SSO service. In PCF deployments with multiple SSO service plans, a remote attacker can authenticate to unbound resource servers which use this version of the SSO Connector with tokens generated from another service plan.

VectorNETWORK

Published Bysecurity_alert@emc.com

Published DateMay 07, 2018, 16:22

Affected Versions(1)

io.pivotal.spring.cloud:spring-cloud-sso-connector(Maven)

Introduced2.1.2.RELEASE

Fixed2.1.3.RELEASE

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
io.pivotal.spring.cloud:spring-cloud-sso-connector(Maven)	2.1.2.RELEASE	2.1.3.RELEASE	N/A

Weakness Type (CWE):NVD-CWE-noinfo

CVSS Metrics

Base Score

8.1

Vector String

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

HIGH

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH

References

https://pivotal.io/security/cve-2018-1256

Base Score

HIGH8.1

Weakness Type (CWE):NVD-CWE-noinfo

CVSS Metrics

Base Score

8.1

Vector String

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

HIGH

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH