Cloud Foundry Logo
blog single gear
Blog
Security Advisory

CVE-2018-11082: UAA MFA doesn’t prevent brute force of MFA code

by: October 1, 2018

CVE-2018-11082: UAA MFA doesn’t prevent brute force of MFA code

Severity

medium

Vendor

Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

  • You are using uaa-release versions prior to 61.0
  • You are using uaa versions prior to 4.20.0

Description

UAA, versions prior to 4.20.0, allows brute forcing of MFA codes. A remote unauthenticated malicious user in possession of a valid username and password can brute force MFA to login as the targeted user.

Mitigation

Users of affected versions should apply the following mitigations or upgrades:

  • Releases that have fixed this issue include:
    • uaa-release versions 61.0
    • uaa version 4.20.0

Credit

This issue was responsibly reported by the GE Digital Security team.

History

2018-10-01: Initial vulnerability report published.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES

You Might Also Like

Security Advisory Update: Transitioning from Xenial to Bionic Stemcells
Security Advisory

Security Advisory Update: Transitioning from Xenial to Bionic Stemcells

by Cloud Foundry Foundation Security Team June 11, 2021
USN-3088-1: Bind vulnerability
Security Advisory

USN-3088-1: Bind vulnerability

by Cloud Foundry Foundation Security Team December 13, 2016
Multiple CVEs: httpoxy
Security Advisory

Multiple CVEs: httpoxy

by Cloud Foundry Foundation Security Team December 21, 2016
This website uses cookies to offer you a better browsing experience. Find out more about how we use cookies and how you can change your settings. Accept