CVE-2018-1192
Description
In Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3, the SessionID is logged in audit event logs. An attacker can use the SessionID to impersonate a logged-in user.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cloud Foundry UAA logs the SessionID in audit events, allowing an attacker who gains log access to impersonate any logged-in user.
Vulnerability
In Cloud Foundry Foundation cf-release versions prior to v285, cf-deployment versions prior to v1.7, UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, 4.7.x versions prior to 4.7.4, and UAA-release 45.7.x prior to 45.7, 52.7.x prior to 52.7, and 53.3.x prior to 53.3, the SessionID is written into audit event logs via the toString() method of WebAuthenticationDetails [1][2][3][4]. The affected code path in UaaAuthenticationDetails prints sessionId= into the log output without redaction. No special configuration is required; the logging occurs by default on every authentication event.
Exploitation
An attacker who has read access to the UAA audit logs (for example, by compromising the log storage system or gaining access to the log-export API) can extract unexpired SessionID values from the log entries. The attacker can then use that SessionID to craft a request that impersonates the legitimate logged-in user, as the session identifier is the sole factor used to bind the user's session. No additional authentication factor is needed beyond knowledge of the SessionID [1][2].
Impact
Successful exploitation allows the attacker to assume the identity and privileges of any user whose session ID was recorded in the logs. This can lead to complete compromise of the victim's Cloud Foundry account, including the ability to read, modify, or delete applications and services, and perform actions with the user's granted OAuth scopes [1][2]. The impact is broad because any user who authenticated during the logging period is exposed.
Mitigation
Fixed versions are available: upgrade to cf-release v285, cf-deployment v1.7, UAA 4.5.5, 4.8.3, or 4.7.4; or UAA-release 45.7, 52.7, or 53.3. The fix removes the sessionId field from the toString() output in UaaAuthenticationDetails [3][4]. If immediate upgrade is not possible, restrict access to audit log files and ensure logs are rotated and monitored for unauthorized access.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.cloudfoundry.identity:cloudfoundry-identity-serverMaven | < 4.5.5 | 4.5.5 |
org.cloudfoundry.identity:cloudfoundry-identity-serverMaven | >= 4.6.0, < 4.7.4 | 4.7.4 |
org.cloudfoundry.identity:cloudfoundry-identity-serverMaven | >= 4.8.0, < 4.8.3 | 4.8.3 |
Affected products
1Patches
31f529fcb43fdMerge branch 'feature/better_print' into develop
2 files changed · +51 −9
server/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaAuthenticationDetails.java+3 −9 modified@@ -12,14 +12,14 @@ *******************************************************************************/ package org.cloudfoundry.identity.uaa.authentication; +import javax.servlet.http.HttpServletRequest; +import java.io.Serializable; + import com.fasterxml.jackson.annotation.JsonProperty; import org.bouncycastle.util.encoders.Base64; import org.springframework.security.web.authentication.WebAuthenticationDetails; import org.springframework.util.StringUtils; -import javax.servlet.http.HttpServletRequest; -import java.io.Serializable; - /** * Contains additional information about the authentication request which may be * of use in auditing etc. @@ -113,12 +113,6 @@ public String toString() { } sb.append("clientId=").append(clientId); } - if (sessionId != null) { - if (sb.length() > 0) { - sb.append(", "); - } - sb.append("sessionId=").append(sessionId); - } return sb.toString(); }
server/src/test/java/org/cloudfoundry/identity/uaa/authentication/event/UserAuthenticationSuccessEventTests.java+48 −0 added@@ -0,0 +1,48 @@ +/* + * **************************************************************************** + * Cloud Foundry + * Copyright (c) [2009-2018] Pivotal Software, Inc. All Rights Reserved. + * + * This product is licensed to you under the Apache License, Version 2.0 (the "License"). + * You may not use this product except in compliance with the License. + * + * This product includes a number of subcomponents with + * separate copyright notices and license terms. Your use of these + * subcomponents is subject to the terms and conditions of the + * subcomponent's license, as noted in the LICENSE file. + * **************************************************************************** + */ + +package org.cloudfoundry.identity.uaa.authentication.event; + +import org.cloudfoundry.identity.uaa.authentication.UaaAuthenticationDetails; +import org.cloudfoundry.identity.uaa.user.UaaUser; + +import org.junit.Test; +import org.springframework.mock.web.MockHttpServletRequest; +import org.springframework.mock.web.MockHttpSession; +import org.springframework.security.core.Authentication; + +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.containsString; +import static org.hamcrest.Matchers.not; +import static org.mockito.Mockito.mock; + +public class UserAuthenticationSuccessEventTests { + + @Test + public void get_origin_from_request() throws Exception { + MockHttpSession session = new MockHttpSession(null, "the-id"); + MockHttpServletRequest request = new MockHttpServletRequest("GET","/oauth/authorize"); + request.setSession(session); + request.setRemoteAddr("127.10.10.10"); + UaaAuthenticationDetails details = new UaaAuthenticationDetails(request, "client-id"); + + UserAuthenticationSuccessEvent event = new UserAuthenticationSuccessEvent(mock(UaaUser.class), mock(Authentication.class)); + String origin = event.getOrigin(details); + + assertThat(origin, containsString("remoteAddress=127.10.10.10")); + assertThat(origin, containsString("clientId=client-id")); + assertThat(origin, not(containsString("sessionId="))); + } +} \ No newline at end of file
a61bfabbad22Merge branch 'feature/better_print' into develop
2 files changed · +51 −9
server/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaAuthenticationDetails.java+3 −9 modified@@ -12,14 +12,14 @@ *******************************************************************************/ package org.cloudfoundry.identity.uaa.authentication; +import javax.servlet.http.HttpServletRequest; +import java.io.Serializable; + import com.fasterxml.jackson.annotation.JsonProperty; import org.bouncycastle.util.encoders.Base64; import org.springframework.security.web.authentication.WebAuthenticationDetails; import org.springframework.util.StringUtils; -import javax.servlet.http.HttpServletRequest; -import java.io.Serializable; - /** * Contains additional information about the authentication request which may be * of use in auditing etc. @@ -113,12 +113,6 @@ public String toString() { } sb.append("clientId=").append(clientId); } - if (sessionId != null) { - if (sb.length() > 0) { - sb.append(", "); - } - sb.append("sessionId=").append(sessionId); - } return sb.toString(); }
server/src/test/java/org/cloudfoundry/identity/uaa/authentication/event/UserAuthenticationSuccessEventTests.java+48 −0 added@@ -0,0 +1,48 @@ +/* + * **************************************************************************** + * Cloud Foundry + * Copyright (c) [2009-2018] Pivotal Software, Inc. All Rights Reserved. + * + * This product is licensed to you under the Apache License, Version 2.0 (the "License"). + * You may not use this product except in compliance with the License. + * + * This product includes a number of subcomponents with + * separate copyright notices and license terms. Your use of these + * subcomponents is subject to the terms and conditions of the + * subcomponent's license, as noted in the LICENSE file. + * **************************************************************************** + */ + +package org.cloudfoundry.identity.uaa.authentication.event; + +import org.cloudfoundry.identity.uaa.authentication.UaaAuthenticationDetails; +import org.cloudfoundry.identity.uaa.user.UaaUser; + +import org.junit.Test; +import org.springframework.mock.web.MockHttpServletRequest; +import org.springframework.mock.web.MockHttpSession; +import org.springframework.security.core.Authentication; + +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.containsString; +import static org.hamcrest.Matchers.not; +import static org.mockito.Mockito.mock; + +public class UserAuthenticationSuccessEventTests { + + @Test + public void get_origin_from_request() throws Exception { + MockHttpSession session = new MockHttpSession(null, "the-id"); + MockHttpServletRequest request = new MockHttpServletRequest("GET","/oauth/authorize"); + request.setSession(session); + request.setRemoteAddr("127.10.10.10"); + UaaAuthenticationDetails details = new UaaAuthenticationDetails(request, "client-id"); + + UserAuthenticationSuccessEvent event = new UserAuthenticationSuccessEvent(mock(UaaUser.class), mock(Authentication.class)); + String origin = event.getOrigin(details); + + assertThat(origin, containsString("remoteAddress=127.10.10.10")); + assertThat(origin, containsString("clientId=client-id")); + assertThat(origin, not(containsString("sessionId="))); + } +} \ No newline at end of file
599391fe5d56Merge branch 'feature/better_print' into develop
2 files changed · +51 −9
server/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaAuthenticationDetails.java+3 −9 modified@@ -12,14 +12,14 @@ *******************************************************************************/ package org.cloudfoundry.identity.uaa.authentication; +import javax.servlet.http.HttpServletRequest; +import java.io.Serializable; + import com.fasterxml.jackson.annotation.JsonProperty; import org.bouncycastle.util.encoders.Base64; import org.springframework.security.web.authentication.WebAuthenticationDetails; import org.springframework.util.StringUtils; -import javax.servlet.http.HttpServletRequest; -import java.io.Serializable; - /** * Contains additional information about the authentication request which may be * of use in auditing etc. @@ -113,12 +113,6 @@ public String toString() { } sb.append("clientId=").append(clientId); } - if (sessionId != null) { - if (sb.length() > 0) { - sb.append(", "); - } - sb.append("sessionId=").append(sessionId); - } return sb.toString(); }
server/src/test/java/org/cloudfoundry/identity/uaa/authentication/event/UserAuthenticationSuccessEventTests.java+48 −0 added@@ -0,0 +1,48 @@ +/* + * **************************************************************************** + * Cloud Foundry + * Copyright (c) [2009-2018] Pivotal Software, Inc. All Rights Reserved. + * + * This product is licensed to you under the Apache License, Version 2.0 (the "License"). + * You may not use this product except in compliance with the License. + * + * This product includes a number of subcomponents with + * separate copyright notices and license terms. Your use of these + * subcomponents is subject to the terms and conditions of the + * subcomponent's license, as noted in the LICENSE file. + * **************************************************************************** + */ + +package org.cloudfoundry.identity.uaa.authentication.event; + +import org.cloudfoundry.identity.uaa.authentication.UaaAuthenticationDetails; +import org.cloudfoundry.identity.uaa.user.UaaUser; + +import org.junit.Test; +import org.springframework.mock.web.MockHttpServletRequest; +import org.springframework.mock.web.MockHttpSession; +import org.springframework.security.core.Authentication; + +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.containsString; +import static org.hamcrest.Matchers.not; +import static org.mockito.Mockito.mock; + +public class UserAuthenticationSuccessEventTests { + + @Test + public void get_origin_from_request() throws Exception { + MockHttpSession session = new MockHttpSession(null, "the-id"); + MockHttpServletRequest request = new MockHttpServletRequest("GET","/oauth/authorize"); + request.setSession(session); + request.setRemoteAddr("127.10.10.10"); + UaaAuthenticationDetails details = new UaaAuthenticationDetails(request, "client-id"); + + UserAuthenticationSuccessEvent event = new UserAuthenticationSuccessEvent(mock(UaaUser.class), mock(Authentication.class)); + String origin = event.getOrigin(details); + + assertThat(origin, containsString("remoteAddress=127.10.10.10")); + assertThat(origin, containsString("clientId=client-id")); + assertThat(origin, not(containsString("sessionId="))); + } +} \ No newline at end of file
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-xg5v-696h-c3vrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1192ghsaADVISORY
- github.com/cloudfoundry/uaa/commit/1f529fcb43fd200cab10587e889343ef1683c6e6ghsaWEB
- github.com/cloudfoundry/uaa/commit/599391fe5d564c7e4860b8a6ec17cda872a822a3ghsaWEB
- github.com/cloudfoundry/uaa/commit/a61bfabbad22f646ecf1f00016b448b26a60dafghsaWEB
- www.cloudfoundry.org/blog/cve-2018-1192ghsaWEB
- www.cloudfoundry.org/blog/cve-2018-1192/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.