[SECURITY][LOW] CVE-2016-0781 UAA Persistent XSS Vulnerability

Home Messages Hashtags Subgroups

Chip Childers <cchilders@...> #4303 CVE-2016-0781 UAA Persistent XSS VulnerabilitySeverity Low Vendor Cloud Foundry Foundation Versions Affected Cloud Foundry v208 through v231 Login-server v1.6 - v1.14 UAA v2.0.0 - v2.7.4.1 & v3.0.0 - v3.2.0 UAA-Release v2 - v7 Description The UAA OAuth approval pages are vulnerable to an XSS attack by specifying malicious java script content in either the OAuth scopes (SCIM groups) or SCIM group descriptions. Mitigation OSS users are strongly encouraged to follow one of the mitigations below: - Upgrade to Cloud Foundry v233 [1] or later - For standalone UAA users - For users using UAA Version 3.0.0, please upgrade to UAA Release to v3.2.1 [3] or later - For users using standalone UAA Version 2.X.X, please upgrade to UAA Release to v2.7.4.2 [2] or v3.2.1 [3] - For users using standalone login-server 1.X, please upgrade to UAA Release to v2.7.4.2 [2] or v3.2.1 [3] - For users using UAA-Release (UAA bosh release), please upgrade to UAA-Release v8 [4] Credit Discovered by the GE Digital Security Team References [1] https://github.com/cloudfoundry/cf-release/releases/tag/v233 [2] https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.2 [3] https://github.com/cloudfoundry/uaa/releases/tag/3.2.1 [4] https://github.com/cloudfoundry/uaa-release/releases/tag/v8 History 2016-Mar-XX: Initial vulnerability report published attachment.html
More All Messages By This Member

Join {cf-dev@lists.cloudfoundry.org to automatically receive all group messages.