CVE-2018-11083: BOSH accepts refresh token as access token
Cloud Foundry Foundation
Affected Cloud Foundry Products and Versions
- You are using bosh-release versions prior to:
- v264 prior to v264.14.0
- v265 prior to v265.7.0
- v266 prior to v266.8.0
- v267 prior to v267.2.0
BOSH allows refresh tokens to be used as access tokens when using UAA for authentication. A remote attacker with an admin refresh token given by UAA can be used to access BOSH resources without obtaining an access token, even if their user no longer has access to those resources.
Users of affected versions should apply the following mitigations or upgrades:
- Releases that have fixed this issue include:
- bosh-release versions v264.14.0, v265.7.0, v266.8.0, v267.2.0
This issue was responsibly reported by Dr. Nic Williams, Stark and Wayne.
2018-10-03: Initial vulnerability report published.