Cloud Foundry Logo
blog single gear
Blog
Security Advisory

CVE-2017-8031: UAA Denial of Service through client token revocation endpoint

by: November 7, 2017

CVE-2017-8031: UAA Denial of Service through client token revocation endpoint

Severity

Medium

Vendor

Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

  • cf-release
    • All versions prior to v279
  • UAA
    • 30.x versions prior to 30.6
    • 45.x versions prior to 45.4
    • 52.x versions prior to 52.1

Description

In some cases, the UAA allows an authenticated user for a particular client to revoke client tokens for other users on the same client. This occurs only if the client is using opaque tokens or JWT tokens validated using the check_token endpoint. A malicious actor could cause denial of service.

Mitigation

Users of affected versions should apply the following mitigations or upgrades.

  • Releases that have fixed this issue include:
    • cf-release: v279
    • UAA: 30.6, 45.4, 52.1

Credit

This issue was responsibly reported by the UAA team.

History

2017-11-07: Initial vulnerability report published.

2017-11-16: Added cf-release version info.

 

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES

You Might Also Like

USN-5631-1: libjpeg-turbo vulnerabilities
Security Advisory

USN-5631-1: libjpeg-turbo vulnerabilities

by Cloud Foundry Foundation Security Team September 29, 2022
USN-3887-1: snapd vulnerability
Security Advisory

USN-3887-1: snapd vulnerability

by Cloud Foundry Foundation Security Team February 15, 2019
USN-4760-1: libzstd vulnerabilities
Security Advisory

USN-4760-1: libzstd vulnerabilities

by Cloud Foundry Foundation Security Team March 22, 2021
This website uses cookies to offer you a better browsing experience. Find out more about how we use cookies and how you can change your settings. Accept