CVE-2018-1192: UAA SessionID present in Audit Event Logs
Cloud Foundry Foundation
Affected Cloud Foundry Products and Versions
- All cf-release versions prior to v285
- All cf-deployment versions prior to v1.7
- 4.5.x versions prior to 4.5.5
- 4.8.x versions prior to 4.8.3
- 4.7.x versions prior to 4.7.4
- 45.7.x versions prior to 45.7
- 52.7.x versions prior to 52.7
- 53.3.x versions prior to 53.3
Cloud Foundry UAA logs the SessionID in audit event logs. An attacker can use the SessionID to impersonate a logged-in user.
Users of affected versions should apply the following mitigations or upgrades:
- Releases that have fixed this issue include:
- cf-release: 285
- cf-deployment: 1.7
- UAA: 4.5.5, 4.8.3, 4.7.4
- UAA-release: 45.7,52.7, 53.3
This issue was responsibly reported by the UAA team.
2018-01-31: Initial vulnerability report published.