CVE-2019-3794: UAA – Login app subject to clickjacking attack
Cloud Foundry Foundation
Affected Cloud Foundry Products and Versions
- Severity is medium unless otherwise noted.
- UAA Release (OSS) is vulnerable prior to v73.4.0
Cloud Foundry UAA, versions prior to v73.4.0, does not set an X-FRAME-OPTIONS header on various endpoints. A remote user can perform clickjacking attacks on UAA’s frontend sites.
Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:
- UAA Release (OSS)
- Upgrade All versions to v73.4.0 or greater
2019-07-09: Initial vulnerability report published.