CVE-2018-1262 — UAA privilege escalation across identity zones

Description

Cloud Foundry Foundation UAA, versions 4.12.X and 4.13.X, introduced a feature which could allow privilege escalation across identity zones for clients performing offline validation. A zone administrator could configure their zone to issue tokens which impersonate another zone, granting up to admin privileges in the impersonated zone for clients performing offline token validation.

How to fix CVE-2018-1262

To remediate CVE-2018-1262, upgrade the affected package to a fixed version below.

—upgrade to 4.12.2 or later

Is CVE-2018-1262 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 4.12.0, < 4.12.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.2	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1262
PATCHgithub.com/cloudfoundry/uaa
WEBgithub.com/cloudfoundry/uaa/commit/14c745aa293b8d3ce9cdd6bfbc6c0ef3f269b21
WEBgithub.com/cloudfoundry/uaa/commit/dccd3962f969913996ee88f653fce3b108c0205