High severity8.1NVD Advisory· Published May 7, 2018· Updated Jun 17, 2026
CVE-2018-1256
CVE-2018-1256
Description
Spring Cloud SSO Connector, version 2.1.2, contains a regression which disables issuer validation in resource servers that are not bound to the SSO service. In PCF deployments with multiple SSO service plans, a remote attacker can authenticate to unbound resource servers which use this version of the SSO Connector with tokens generated from another service plan.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.pivotal.spring.cloud:spring-cloud-sso-connectorMaven | >= 2.1.2.RELEASE, < 2.1.3.RELEASE | 2.1.3.RELEASE |
Affected products
2- ghsa-coordsRange: >= 2.1.2.RELEASE, < 2.1.3.RELEASE
- Range: 2.1.2
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-q4q2-93pw-qwgfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1256ghsaADVISORY
- pivotal.io/security/cve-2018-1256nvdMitigationVendor AdvisoryWEB
- github.com/pivotal-cf/spring-cloud-sso-connector/commit/ef647a2acf2363c6018e8543d665ac8862593372ghsaWEB
News mentions
0No linked articles in our index yet.