CVE-2018-1262

Cloud Foundry Foundation UAA, versions 4.12.X and 4.13.X, introduced a feature which could allow privilege escalation across identity zones for clients performing offline validation. A zone administrator could configure their zone to issue tokens which impersonate another zone, granting up to admin privileges in the impersonated zone for clients performing offline token validation.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
dellCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 61%
VendorProductVersion
pivotal_softwarecloud_foundry_uaa
4.12.0
pivotal_softwarecloud_foundry_uaa
4.12.1
pivotal_softwarecloud_foundry_uaa
4.12.2
pivotal_softwarecloud_foundry_uaa
4.13.0
pivotal_softwarecloud_foundry_uaa
4.13.1
pivotal_softwarecloud_foundry_uaa
4.13.2
pivotal_softwarecloud_foundry_uaa
4.13.3
pivotal_softwarecloud_foundry_uaa
4.13.4
pivotal_softwarecloud_foundry_uaa-release
57.1
cloudfoundrycf-deployment
1.27.0 ≤
𝑥
≤ 1.31.0
𝑥
= Vulnerable software versions
References
https://www.cloudfoundry.org/blog/cve-2018-1262/
https://www.cloudfoundry.org/blog/cve-2018-1262/