CVE-2018-1192
HIGHCloud Foundry Foundation cf-release <v285 - Info Disclosure
Title source: llmDescription
In Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3, the SessionID is logged in audit event logs. An attacker can use the SessionID to impersonate a logged-in user.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://www.cloudfoundry.org/blog/cve-2018-1192/
Scores
CVSS v3
8.8
EPSS
0.0103
EPSS Percentile
59.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-200
Status
published
Products (7)
org.cloudfoundry.identity/cloudfoundry-identity-server
0 - 4.5.5Maven
pivotal_software/cloud_foundry_cf-deployment
< 1.7
pivotal_software/cloud_foundry_cf-release
< 285
pivotal_software/cloud_foundry_uaa
4.5.0 - 4.5.5
pivotal_software/cloud_foundry_uaa-release
45.7
pivotal_software/cloud_foundry_uaa-release
52.7
pivotal_software/cloud_foundry_uaa-release
53.3
Published
Feb 01, 2018
Tracked Since
Feb 18, 2026