CVE-2018-11083

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2018-11083

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-11083.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2018-11083

Published

2018-10-05T21:29:00Z

Modified

2025-02-14T07:41:02Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Cloud Foundry BOSH, versions v264 prior to v264.14.0 and v265 prior to v265.7.0 and v266 prior to v266.8.0 and v267 prior to v267.2.0, allows refresh tokens to be as access tokens when using UAA for authentication. A remote attacker with an admin refresh token given by UAA can be used to access BOSH resources without obtaining an access token, even if their user no longer has access to those resources.

References

https://www.cloudfoundry.org/blog/cve-2018-11083

Affected packages

Git / github.com/cloudfoundry/bosh

Affected ranges

Type: GIT
Repo: https://github.com/cloudfoundry/bosh
Events: Introduced

f59dfe2bcd97637d4e1f5a1489b55e72ef7b171e

Fixed

4d531cc54604a5d7a78c26853ef558d9046ed5fb