Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the clients.write authority or scope can bypass the restrictions imposed on clients created via clients.write and create clients with arbitrary scopes that the creator does not possess.
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Application_service | Pivotal_software | 2.3.0 (including) | 2.3.15 (excluding) |
| Application_service | Pivotal_software | 2.4.0 (including) | 2.4.11 (excluding) |
| Application_service | Pivotal_software | 2.5.0 (including) | 2.5.7 (excluding) |
| Application_service | Pivotal_software | 2.6.0 (including) | 2.6.2 (excluding) |
| Cloud_foundry_uaa | Pivotal_software | * | 73.4.0 (excluding) |
| Operations_manager | Pivotal_software | 2.3.0 (including) | 2.3.22 (excluding) |
| Operations_manager | Pivotal_software | 2.4.0 (including) | 2.4.16 (excluding) |
| Operations_manager | Pivotal_software | 2.5.0 (including) | 2.5.10 (excluding) |
| Operations_manager | Pivotal_software | 2.6.0 (including) | 2.6.4 (excluding) |