CVE-2018-1262

EUVD-2022-3237
Cloud Foundry Foundation UAA, versions 4.12.X and 4.13.X, introduced a feature which could allow privilege escalation across identity zones for clients performing offline validation. A zone administrator could configure their zone to issue tokens which impersonate another zone, granting up to admin privileges in the impersonated zone for clients performing offline token validation.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 59%
Affected Products (NVD)
VendorProductVersion
pivotal_softwarecloud_foundry_uaa
4.12.0
pivotal_softwarecloud_foundry_uaa
4.12.1
pivotal_softwarecloud_foundry_uaa
4.12.2
pivotal_softwarecloud_foundry_uaa
4.13.0
pivotal_softwarecloud_foundry_uaa
4.13.1
pivotal_softwarecloud_foundry_uaa
4.13.2
pivotal_softwarecloud_foundry_uaa
4.13.3
pivotal_softwarecloud_foundry_uaa
4.13.4
pivotal_softwarecloud_foundry_uaa-release
57.1
cloudfoundrycf-deployment
1.27.0 ≤
𝑥
≤ 1.31.0
𝑥
= Vulnerable software versions
References
https://www.cloudfoundry.org/blog/cve-2018-1262/
https://www.cloudfoundry.org/blog/cve-2018-1262/