GHSA-9frw-wmvq-5rrc

Suggest an improvement
Source
https://github.com/advisories/GHSA-9frw-wmvq-5rrc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9frw-wmvq-5rrc/GHSA-9frw-wmvq-5rrc.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-9frw-wmvq-5rrc
Aliases
Published
2022-05-13T01:07:27Z
Modified
2024-03-01T20:26:38.645026Z
Severity
  • 6.6 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Cloud Foundry UAA Identity Zone Admin Privilege Escalation
Details

In Cloud Foundry cf-release versions prior to v264; UAA release all versions of UAA v2.x.x, 3.6.x versions prior to v3.6.13, 3.9.x versions prior to v3.9.15, 3.20.x versions prior to v3.20.0, and other versions prior to v4.4.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.17, 24.x versions prior to v24.12. 30.x versions prior to 30.5, and other versions prior to v41, zone administrators are allowed to escalate their privileges when mapping permissions for an external provider.

Database specific
{
    "nvd_published_at": "2017-07-10T20:29:00Z",
    "cwe_ids": [
        "CWE-269"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-01T20:07:28Z"
}
References

Affected packages

Maven / org.cloudfoundry.identity:cloudfoundry-identity-server

Package

Name
org.cloudfoundry.identity:cloudfoundry-identity-server
View open source insights on deps.dev
Purl
pkg:maven/org.cloudfoundry.identity/cloudfoundry-identity-server

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.6.13

Affected versions

3.*

3.0.0
3.0.1
3.1.0
3.2.0
3.2.1
3.3.0
3.3.0.1
3.3.0.2
3.3.0.3
3.3.0.4
3.3.0.5
3.4.0
3.4.2
3.4.3
3.4.4
3.4.5
3.5.0
3.6.0

Maven / org.cloudfoundry.identity:cloudfoundry-identity-server

Package

Name
org.cloudfoundry.identity:cloudfoundry-identity-server
View open source insights on deps.dev
Purl
pkg:maven/org.cloudfoundry.identity/cloudfoundry-identity-server

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.7.0
Fixed
3.9.15

Affected versions

3.*

3.7.0
3.7.3
3.8.0
3.9.0
3.9.1

Maven / org.cloudfoundry.identity:cloudfoundry-identity-server

Package

Name
org.cloudfoundry.identity:cloudfoundry-identity-server
View open source insights on deps.dev
Purl
pkg:maven/org.cloudfoundry.identity/cloudfoundry-identity-server

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.10.0
Fixed
3.20.0

Affected versions

3.*

3.10.0
3.12.0
3.13.0
3.15.0
3.16.0
3.18.0
3.19.0

Maven / org.cloudfoundry.identity:cloudfoundry-identity-server

Package

Name
org.cloudfoundry.identity:cloudfoundry-identity-server
View open source insights on deps.dev
Purl
pkg:maven/org.cloudfoundry.identity/cloudfoundry-identity-server

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
4.4.0

Affected versions

4.*

4.1.0
4.2.0
4.3.0