[HIGH] CVE-2016-6651: Privilege Escalation in UAA

Molly Crowther

CVE-2016-6651: Privilege Escalation in UAA


Cloud Foundry Foundation
Versions Affected


Cloud Foundry release v242 and earlier versions

UAA release v3.7.0 & earlier versions

UAA bosh release (uaa-release) v16 & earlier versions


A privilege escalation vulnerability has been identified with the
/oauth/token endpoint in UAA allowing users to elevate the privileges in
the token issued.

OSS users are strongly encouraged to follow one of the mitigations below:


Upgrade to Cloud Foundry v243 [1] or later

For standalone UAA users

For users using UAA Version 3.0.0 - 3.7.0, please upgrade to UAA
Release to v3.7.3[2], v3.4.5[3] or v3.3.0.6[4]

For users using standalone UAA Version 2.X.X, please upgrade to UAA
Release to v2.7.4.8 [5]

For users using UAA bosh release, please upgrade to UAA-Release v17
[6] if upgrading to v3.7.3 [2] ,v12.6 [7] if upgrading to v3.4.5[3] or
v11.7 [8] if upgrading to v3.3.0.6[4]


SAP HCP Security Team


[1] https://github.com/cloudfoundry/cf-release/releases/tag/v243

[2] https://github.com/cloudfoundry/uaa/releases/tag/3.7.3

[3] https://github.com/cloudfoundry/uaa/releases/tag/3.4.5

[4] https://github.com/cloudfoundry/uaa/releases/tag/

[5] https://github.com/cloudfoundry/uaa/releases/tag/

[6] https://github.com/cloudfoundry/uaa-release/releases/tag/v17

[7] https://github.com/cloudfoundry/uaa-release/releases/tag/v12.6

[8] https://github.com/cloudfoundry/uaa-release/releases/tag/v11.7

History2016-09-26: Initial vulnerability report published

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.