Cloud Foundry UAA Denial of Service through client token revocation endpoint
Moderate severity
GitHub Reviewed
Published
May 13, 2022
to the GitHub Advisory Database
•
Updated Mar 1, 2024
Package
Affected versions
>= 4.6.0, < 4.7.1
>= 4.0.0, < 4.5.3
< 3.20.1
Patched versions
4.7.1
4.5.3
3.20.1
Description
Published by the National Vulnerability Database
Nov 27, 2017
Published to the GitHub Advisory Database
May 13, 2022
Reviewed
Mar 1, 2024
Last updated
Mar 1, 2024
An issue was discovered in Cloud Foundry Foundation cf-release (all versions prior to v279) and UAA (30.x versions prior to 30.6, 45.x versions prior to 45.4, 52.x versions prior to 52.1). In some cases, the UAA allows an authenticated user for a particular client to revoke client tokens for other users on the same client. This occurs only if the client is using opaque tokens or JWT tokens validated using the check_token endpoint. A malicious actor could cause denial of service.
References