Description
Spring Cloud SSO Connector, version 2.1.2, contains a regression which disables issuer validation in resource servers that are not bound to the SSO service. In PCF deployments with multiple SSO service plans, a remote attacker can authenticate to unbound resource servers which use this version of the SSO Connector with tokens generated from another service plan.
Remediation
References
https://pivotal.io/security/cve-2018-1256
Related Vulnerabilities
CVE-2019-20364 Vulnerability in maven package org.igniterealtime.openfire:xmppserver
CVE-2017-18355 Vulnerability in npm package rendertron-middleware
CVE-2022-46363 Vulnerability in maven package org.apache.cxf:cxf-rt-transports-http
CVE-2017-7957 Vulnerability in maven package org.jvnet.hudson:xstream
CVE-2014-1972 Vulnerability in maven package org.apache.tapestry:tapestry-core