Uaa Release

Submit a proposal Propose CVE/GCVE/GHSA reference

Approved changes feed: RSS · Atom

cpe:2.3:a:cloud_foundry:uaa_release:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorCloud Foundry (bbc462c7-a964-5178-97e1-18033ab4dbd3)
ProductUaa Release (c821cb4e-1d9c-5082-a22d-19c72d583daf)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from gcve-enriched-dumps CVE data

PURL mappings

PURLSourceLast updated
No PURL mappings for this CPE yet.

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2019-11293 vulnerable 2026-06-03 14:39:32.663800 UAA logs all query parameters with debug logging level
HIGH (8.8)
Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs client_secret credentials when sent as a query parameter. A remote authenticated malicious user could gain access to user credentials via the uaa.log file if authentication is provided via query parameters.
Published: 2019-12-06T20:00:17.131Z
Updated: 2024-09-16T17:57:54.838Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2019-11290 vulnerable 2026-06-03 14:39:32.656620 Cloud Foundry UAA logs query parameters in tomcat access file
HIGH (8.8)
Cloud Foundry UAA Release, versions prior to v74.8.0, logs all query parameters to tomcat’s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well.
Published: 2019-11-25T23:56:17.082Z
Updated: 2024-09-16T21:02:44.357Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2019-11282 vulnerable 2026-06-03 14:39:32.628377 UAA is vulnerable to a Blind SCIM injection leading to information disclosure
MEDIUM (4.3)
Cloud Foundry UAA, versions prior to v74.3.0, contains an endpoint that is vulnerable to SCIM injection attack. A remote authenticated malicious user with scim.invite scope can craft a request with malicious content which can leak information about users of the UAA.
Published: 2019-10-23T15:28:24.395Z
Updated: 2024-09-16T23:26:37.789Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2018-15761 vulnerable 2026-06-03 14:38:19.388521 UAA Privilege Escalation
CRITICAL (9.9)
Cloud Foundry UAA release, versions prior to v64.0, and UAA, versions prior to 4.23.0, contains a validation error which allows for privilege escalation. A remote authenticated user may modify the url and content of a consent page to gain a token with arbitrary scopes that escalates their privileges.
Published: 2018-11-19T14:00:00.000Z
Updated: 2024-09-17T00:46:20.654Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2018-15754 vulnerable 2026-06-03 14:38:19.316941 UAA can issue tokens across identity providers if users with matching usernames exist
MEDIUM (4.2)
Cloud Foundry UAA, versions 60 prior to 66.0, contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated user with access to one of these accounts may be able to obtain a token for an account of the same username in the other identity provider.
Published: 2018-12-13T22:00:00.000Z
Updated: 2024-09-16T17:24:01.117Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2018-11082 vulnerable 2026-06-03 14:38:00.878783 Cloud Foundry UAA MFA does not prevent brute force of MFA code
MEDIUM (6.6)
Cloud Foundry UAA, all versions prior to 4.20.0 and Cloud Foundry UAA Release, all versions prior to 61.0, allows brute forcing of MFA codes. A remote unauthenticated malicious user in possession of a valid username and password can brute force MFA to login as the targeted user.
Published: 2018-10-05T21:00:00.000Z
Updated: 2024-09-17T02:00:59.932Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.