CVE-2018-11047

Cloud Foundry UAA, versions 4.19 prior to 4.19.2 and 4.12 prior to 4.12.4 and 4.10 prior to 4.10.2 and 4.7 prior to 4.7.6 and 4.5 prior to 4.5.7, incorrectly authorizes requests to admin endpoints by accepting a valid refresh token in lieu of an access token. Refresh tokens by design have a longer expiration time than access tokens, allowing the possessor of a refresh token to authenticate longer than expected. This affects the administrative endpoints of the UAA. i.e. /Users, /Groups, etc. However, if the user has been deleted or had groups removed, or the client was deleted, the refresh token will no longer be valid.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://www.cloudfoundry.org/blog/cve-2018-11047/	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:pivotal_software:cloud_foundry_uaa::::::::
	cpe:2.3:a:pivotal_software:cloud_foundry_uaa::::::::
	cpe:2.3:a:pivotal_software:cloud_foundry_uaa::::::::
	cpe:2.3:a:pivotal_software:cloud_foundry_uaa::::::::
	cpe:2.3:a:pivotal_software:cloud_foundry_uaa::::::::

History

No history.

Information

Published : 2018-07-24 19:29

Updated : 2023-12-10 12:44

NVD link : CVE-2018-11047

Mitre link : CVE-2018-11047

CVE.ORG link : CVE-2018-11047

JSON object : View

Products Affected

pivotal_software

cloud_foundry_uaa

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2018-11047", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2018-07-24T19:29:00.287", "references": [{"url": "https://www.cloudfoundry.org/blog/cve-2018-11047/", "tags": ["Mitigation", "Vendor Advisory"], "source": "security_alert@emc.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Cloud Foundry UAA, versions 4.19 prior to 4.19.2 and 4.12 prior to 4.12.4 and 4.10 prior to 4.10.2 and 4.7 prior to 4.7.6 and 4.5 prior to 4.5.7, incorrectly authorizes requests to admin endpoints by accepting a valid refresh token in lieu of an access token. Refresh tokens by design have a longer expiration time than access tokens, allowing the possessor of a refresh token to authenticate longer than expected. This affects the administrative endpoints of the UAA. i.e. /Users, /Groups, etc. However, if the user has been deleted or had groups removed, or the client was deleted, the refresh token will no longer be valid."}, {"lang": "es", "value": "Cloud Foundry UAA, en versiones 4.19 anteriores a la 4.19.2, versiones 4.12 anteriores a la 4.12.4, versiones 4.10 anteriores a la 4.10.2, versiones 4.7 anteriores a la 4.7.6 y versiones 4.5 anteriores a la 4.5.7, autoriza incorrectamente las peticiones a los endpoints admin aceptando un token de actualizaci\u00f3n v\u00e1lido en lugar de un token de acceso. Por dise\u00f1o, los tokens de actualizaci\u00f3n tienen un tiempo de expiraci\u00f3n mayor que los tokens de acceso, lo que permite que el poseedor de un token de actualizaci\u00f3n se autentique m\u00e1s tiempo del esperado. Esto afecta a los endpoints administrativos de UAA, p.ej., /Users, /Groups, etc. Sin embargo, si el usuario ha sido eliminado o le han eliminado grupos, o si se ha eliminado el cliente, el token de actualizaci\u00f3n ya no ser\u00e1 v\u00e1lido."}], "lastModified": "2019-10-03T00:03:26.223", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_uaa:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "89934957-FA65-4B7C-A5FB-2FF20790C26B", "versionEndExcluding": "4.5.7", "versionStartIncluding": "4.5.0"}, {"criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_uaa:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DEFD0F0C-7C4B-43B3-B3F5-02C3162C473B", "versionEndExcluding": "4.7.6", "versionStartIncluding": "4.7.0"}, {"criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_uaa:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E64CF7C7-EE86-4A38-AA6A-23B87E3EA453", "versionEndExcluding": "4.10.2", "versionStartIncluding": "4.10.0"}, {"criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_uaa:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B2114BFB-94D6-4F10-8A55-46D4407F5725", "versionEndExcluding": "4.12.4", "versionStartIncluding": "4.12.0"}, {"criteria": "cpe:2.3:a:pivotal_software:cloud_foundry_uaa:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ED93DF45-D18C-4904-854F-CE53337BE912", "versionEndExcluding": "4.19.2", "versionStartIncluding": "4.19.0"}], "operator": "OR"}]}], "sourceIdentifier": "security_alert@emc.com"}