CVE-2018-11082: UAA MFA doesn’t prevent brute force of MFA code
Cloud Foundry Foundation
Affected Cloud Foundry Products and Versions
- You are using uaa-release versions prior to 61.0
- You are using uaa versions prior to 4.20.0
UAA, versions prior to 4.20.0, allows brute forcing of MFA codes. A remote unauthenticated malicious user in possession of a valid username and password can brute force MFA to login as the targeted user.
Users of affected versions should apply the following mitigations or upgrades:
- Releases that have fixed this issue include:
- uaa-release versions 61.0
- uaa version 4.20.0
This issue was responsibly reported by the GE Digital Security team.
2018-10-01: Initial vulnerability report published.