Описание
The Cloud Controller and Router in Cloud Foundry (CAPI-release capi versions prior to v1.32.0, Routing-release versions prior to v0.159.0, CF-release versions prior to v267) do not validate the issuer on JSON Web Tokens (JWTs) from UAA. With certain multi-zone UAA configurations, zone administrators are able to escalate their privileges.
Ссылки
- Vendor Advisory
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 1.31.0 (включая)Версия до 266 (включая)Версия до 0.158.0 (включая)
Одно из
cpe:2.3:a:cloudfoundry:capi-release:*:*:*:*:*:*:*:*
cpe:2.3:a:cloudfoundry:cf-release:*:*:*:*:*:*:*:*
cpe:2.3:a:cloudfoundry:routing-release:*:*:*:*:*:*:*:*
EPSS
Процентиль: 64%
0.00472
Низкий
6.6 Medium
CVSS3
6 Medium
CVSS2
Дефекты
CWE-565
Связанные уязвимости
CVSS3: 6.6
github
больше 3 лет назад
The Cloud Controller and Router in Cloud Foundry (CAPI-release capi versions prior to v1.32.0, Routing-release versions prior to v0.159.0, CF-release versions prior to v267) do not validate the issuer on JSON Web Tokens (JWTs) from UAA. With certain multi-zone UAA configurations, zone administrators are able to escalate their privileges.
EPSS
Процентиль: 64%
0.00472
Низкий
6.6 Medium
CVSS3
6 Medium
CVSS2
Дефекты
CWE-565