CVE-2018-1192

HIGH

Cloud Foundry Foundation cf-release <v285 - Info Disclosure

Title source: llm
STIX 2.1

Description

In Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3, the SessionID is logged in audit event logs. An attacker can use the SessionID to impersonate a logged-in user.

References (1)

Core 1
Core References
Vendor Advisory x_refsource_confirm
https://www.cloudfoundry.org/blog/cve-2018-1192/

Scores

CVSS v3 8.8
EPSS 0.0103
EPSS Percentile 59.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-200
Status published
Products (7)
org.cloudfoundry.identity/cloudfoundry-identity-server 0 - 4.5.5Maven
pivotal_software/cloud_foundry_cf-deployment < 1.7
pivotal_software/cloud_foundry_cf-release < 285
pivotal_software/cloud_foundry_uaa 4.5.0 - 4.5.5
pivotal_software/cloud_foundry_uaa-release 45.7
pivotal_software/cloud_foundry_uaa-release 52.7
pivotal_software/cloud_foundry_uaa-release 53.3
Published Feb 01, 2018
Tracked Since Feb 18, 2026