CVE-2017-8031: UAA Denial of Service through client token revocation endpoint
Cloud Foundry Foundation
Affected Cloud Foundry Products and Versions
- All versions prior to v279
- 30.x versions prior to 30.6
- 45.x versions prior to 45.4
- 52.x versions prior to 52.1
In some cases, the UAA allows an authenticated user for a particular client to revoke client tokens for other users on the same client. This occurs only if the client is using opaque tokens or JWT tokens validated using the check_token endpoint. A malicious actor could cause denial of service.
Users of affected versions should apply the following mitigations or upgrades.
- Releases that have fixed this issue include:
- cf-release: v279
- UAA: 30.6, 45.4, 52.1
This issue was responsibly reported by the UAA team.
2017-11-07: Initial vulnerability report published.
2017-11-16: Added cf-release version info.