Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the clients.write authority or scope can bypass the restrictions imposed on clients created via clients.write and create clients with arbitrary scopes that the creator does not possess.
Weakness
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Application_service | Pivotal_software | 2.3.0 (including) | 2.3.15 (excluding) |
| Application_service | Pivotal_software | 2.4.0 (including) | 2.4.11 (excluding) |
| Application_service | Pivotal_software | 2.5.0 (including) | 2.5.7 (excluding) |
| Application_service | Pivotal_software | 2.6.0 (including) | 2.6.2 (excluding) |
| Cloud_foundry_uaa | Pivotal_software | * | 73.4.0 (excluding) |
| Operations_manager | Pivotal_software | 2.3.0 (including) | 2.3.22 (excluding) |
| Operations_manager | Pivotal_software | 2.4.0 (including) | 2.4.16 (excluding) |
| Operations_manager | Pivotal_software | 2.5.0 (including) | 2.5.10 (excluding) |
| Operations_manager | Pivotal_software | 2.6.0 (including) | 2.6.4 (excluding) |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/122.html
- https://cwe.mitre.org/data/definitions/233.html
- https://cwe.mitre.org/data/definitions/58.html