In Cloud Controller versions prior to 1.46.0, cf-deployment versions prior to 1.3.0, and cf-release versions prior to 283, Cloud Controller accepts refresh tokens for authentication where access tokens are expected. This exposes a vulnerability where a refresh token that would otherwise be insufficient to obtain an access token, either due to lack of client credentials or revocation, would allow authentication.
References
Link | Resource |
---|---|
https://www.cloudfoundry.org/blog/cve-2018-1195/ | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: dell
Published: 2018-03-05T00:00:00
Updated: 2018-03-19T17:57:01
Reserved: 2017-12-06T00:00:00
Link: CVE-2018-1195
JSON object: View
NVD Information
Status : Analyzed
Published: 2018-03-19T18:29:00.327
Modified: 2022-08-29T20:43:09.483
Link: CVE-2018-1195
JSON object: View
Redhat Information
No data.
CWE