Privilege Escalation

Affecting org.cloudfoundry.identity:cloudfoundry-identity-uaa artifact, versions [3.0.0, 3.6.5) || [3.7, 3.9.3) || [2.0.0, 2.7.4.12)

Do your applications use this vulnerable package? Test your applications

Overview

org.cloudfoundry.identity:cloudfoundry-identity-uaa is a None

Affected versions of this package are vulnerable to Privilege Escalation. An attacker can gain privileges by accessing UAA logs and subsequently running a specially crafted application that interacts with a configured SAML provider.

Remediation

Upgrade org.cloudfoundry.identity:cloudfoundry-identity-uaa to version 3.6.5, 3.9.3, 2.7.4.12 or higher.

References

CVSS Score

8.1
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Credit
David King, Graham Bleach, Piotr Komborski
CVE
CVE-2016-6659
CWE
CWE-287
Snyk ID
SNYK-JAVA-ORGCLOUDFOUNDRYIDENTITY-451524
Disclosed
12 Dec, 2016
Published
04 Jul, 2019