Description
Cloud Foundry UAA, versions 4.19 prior to 4.19.2 and 4.12 prior to 4.12.4 and 4.10 prior to 4.10.2 and 4.7 prior to 4.7.6 and 4.5 prior to 4.5.7, incorrectly authorizes requests to admin endpoints by accepting a valid refresh token in lieu of an access token. Refresh tokens by design have a longer expiration time than access tokens, allowing the possessor of a refresh token to authenticate longer than expected. This affects the administrative endpoints of the UAA. i.e. /Users, /Groups, etc. However, if the user has been deleted or had groups removed, or the client was deleted, the refresh token will no longer be valid.
Remediation
References
https://www.cloudfoundry.org/blog/cve-2018-11047/
Related Vulnerabilities
CVE-2018-1275 Vulnerability in maven package org.springframework:spring-messaging
CVE-2014-3623 Vulnerability in maven package org.apache.cxf:cxf-rt-security
CVE-2021-31405 Vulnerability in maven package com.vaadin:vaadin-text-field-flow
CVE-2023-43666 Vulnerability in maven package org.apache.inlong:manager-web
CVE-2023-29208 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore