Base Score

HIGH8.8

CVE-2018-15761

Cloud Foundry UAA release, versions prior to v64.0, and UAA, versions prior to 4.23.0, contains a validation error which allows for privilege escalation. A remote authenticated user may modify the url and content of a consent page to gain a token with arbitrary scopes that escalates their privileges.

VectorNETWORK

Published Bysecurity_alert@emc.com

Published DateNov 19, 2018, 14:29

Affected Versions(1)

org.cloudfoundry.identity:cloudfoundry-identity-server(Maven)

Introduced0

Fixed4.23.0

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.cloudfoundry.identity:cloudfoundry-identity-server(Maven)	0	4.23.0	N/A

Weakness Type (CWE):NVD-CWE-noinfo

CVSS Metrics

Base Score

8.8

Vector String

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Severity

HIGH

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH

References

https://www.cloudfoundry.org/blog/cve-2018-15761/

Base Score

HIGH8.8

Weakness Type (CWE):NVD-CWE-noinfo

CVSS Metrics

Base Score

8.8

Vector String

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Severity

HIGH

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH