Cloud Foundry Logo

CVE-2018-11082: UAA MFA doesn’t prevent brute force of MFA code


Share

CVE-2018-11082: UAA MFA doesn’t prevent brute force of MFA code

Severity

medium

Vendor

Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

  • You are using uaa-release versions prior to 61.0
  • You are using uaa versions prior to 4.20.0

Description

UAA, versions prior to 4.20.0, allows brute forcing of MFA codes. A remote unauthenticated malicious user in possession of a valid username and password can brute force MFA to login as the targeted user.

Mitigation

Users of affected versions should apply the following mitigations or upgrades:

  • Releases that have fixed this issue include:
    • uaa-release versions 61.0
    • uaa version 4.20.0

Credit

This issue was responsibly reported by the GE Digital Security team.

History

2018-10-01: Initial vulnerability report published.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES