VYPR

Uaa

by Cloudfoundry

Source repositories

CVEs (51)

  • CVE-2019-11279Sep 26, 2019
    risk 0.00cvss epss 0.01

    CF UAA versions prior to 74.1.0 can request scopes for a client that shouldn't be allowed by submitting an array of requested scopes. A remote malicious user can escalate their own privileges to any scope, allowing them to take control of UAA and the resources it controls.

  • CVE-2019-11278Sep 26, 2019
    risk 0.00cvss epss 0.01

    CF UAA versions prior to 74.1.0, allow external input to be directly queried against. A remote malicious user with 'client.write' and 'groups.update' can craft a SCIM query, which leaks information that allows an escalation of privileges, ultimately allowing the malicious user…

  • CVE-2019-11274Aug 9, 2019
    risk 0.00cvss epss 0.01

    Cloud Foundry UAA, versions prior to 74.0.0, is vulnerable to an XSS attack. A remote unauthenticated malicious attacker could craft a URL that contains a SCIM filter that contains malicious JavaScript, which older browsers may execute.

  • CVE-2019-11270Aug 5, 2019
    risk 0.00cvss epss 0.01

    Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' and create clients with arbitrary scopes that the creator…

  • CVE-2019-3794Jul 18, 2019
    risk 0.00cvss epss 0.01

    Cloud Foundry UAA, versions prior to v73.4.0, does not set an X-FRAME-OPTIONS header on various endpoints. A remote user can perform clickjacking attacks on UAA's frontend sites.

  • CVE-2019-11268Jul 11, 2019
    risk 0.00cvss epss 0.01

    Cloud Foundry UAA version prior to 73.3.0, contain endpoints that contains improper escaping. An authenticated malicious user with basic read privileges for one identity zone can extend those reading privileges to all other identity zones and obtain private information on users,…

  • CVE-2019-3787Jun 19, 2019
    risk 0.00cvss epss 0.01

    Cloud Foundry UAA, versions prior to 73.0.0, falls back to appending “unknown.org” to a user's email address when one is not provided and the user name does not contain an @ character. This domain is held by a private company, which leads to attack vectors including password…

  • CVE-2019-3788Apr 25, 2019
    risk 0.00cvss epss 0.01

    Cloud Foundry UAA Release, versions prior to 71.0, allows clients to be configured with an insecure redirect uri. Given a UAA client was configured with a wildcard in the redirect uri's subdomain, a remote malicious unauthenticated user can craft a phishing link to get a UAA…

  • CVE-2019-3775Mar 7, 2019
    risk 0.00cvss epss 0.01

    Cloud Foundry UAA, versions prior to v70.0, allows a user to update their own email address. A remote authenticated user can impersonate a different user by changing their email address to that of a different user.

  • CVE-2018-15754Dec 13, 2018
    risk 0.00cvss epss 0.02

    Cloud Foundry UAA, versions 60 prior to 66.0, contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated user with access to one of these accounts may be…

  • CVE-2018-15761Nov 19, 2018
    risk 0.00cvss epss 0.02

    Cloud Foundry UAA release, versions prior to v64.0, and UAA, versions prior to 4.23.0, contains a validation error which allows for privilege escalation. A remote authenticated user may modify the url and content of a consent page to gain a token with arbitrary scopes that…

Page 3 of 3