CVSS score: 2.7 (Low)
Cloud Foundry Foundation
This disclosure regards a vulnerability related to UAA refresh tokens and external identity providers.
- an external identity provider is linked to the UAA
- a refresh token is issued to a client on behalf of a user from that identity provider
- the administrator of the UAA deactivates the identity provider from the UAA
It is expected that the UAA would reject a refresh token during a refresh token grant, but it does not (hence the vulnerability). It will continue to issue access tokens to request presenting such refresh tokens, as if the identity provider was still active.
As a result, clients with refresh tokens issued through the deactivated identity provider would still have access to Cloud Foundry resources until their refresh token expires (which defaults to 30 days).
Affected Cloud Foundry Products and Versions
*Severity is 2.7 unless otherwise noted.
- all supported releases
Users of Cloud Foundry and UAA are encouraged to follow the mitigations below.
When updating an identity provider’s setting in the UAA to become inactive (set “active” to “false”), if you expect all tokens to be revoked, you should revoke them manually by calling one of the endpoints for revoking tokens.
At this time this notice is provided for your information only. Users are encouraged to apply the mitigation to their UAA identity provider management process.
This issue was responsibly reported by Florian Tack (SAP)
2023-03-20: Initial vulnerability report published.