Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2018-11083

Опубликовано: 05 окт. 2018
Источник: nvd
CVSS3: 8.4
CVSS3: 8.1
CVSS2: 6.8
EPSS Низкий

Описание

Cloud Foundry BOSH, versions v264 prior to v264.14.0 and v265 prior to v265.7.0 and v266 prior to v266.8.0 and v267 prior to v267.2.0, allows refresh tokens to be as access tokens when using UAA for authentication. A remote attacker with an admin refresh token given by UAA can be used to access BOSH resources without obtaining an access token, even if their user no longer has access to those resources.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:cloud_foundry:bosh:*:*:*:*:*:*:*:*
Версия от 264.1 (включая) до 264.14.0 (исключая)
cpe:2.3:a:cloud_foundry:bosh:*:*:*:*:*:*:*:*
Версия от 265.1.0 (включая) до 265.7.0 (исключая)
cpe:2.3:a:cloud_foundry:bosh:*:*:*:*:*:*:*:*
Версия от 266.2.0 (включая) до 266.8.0 (исключая)

EPSS

Процентиль: 70%
0.00647
Низкий

8.4 High

CVSS3

8.1 High

CVSS3

6.8 Medium

CVSS2

Дефекты

NVD-CWE-noinfo

Связанные уязвимости

github логотип

GHSA-rj7c-vg4r-rx5m

CVSS3: 8.1
github
больше 3 лет назад

Cloud Foundry BOSH, versions v264 prior to v264.14.0 and v265 prior to v265.7.0 and v266 prior to v266.8.0 and v267 prior to v267.2.0, allows refresh tokens to be as access tokens when using UAA for authentication. A remote attacker with an admin refresh token given by UAA can be used to access BOSH resources without obtaining an access token, even if their user no longer has access to those resources.

EPSS

Процентиль: 70%
0.00647
Низкий

8.4 High

CVSS3

8.1 High

CVSS3

6.8 Medium

CVSS2

Дефекты

NVD-CWE-noinfo