[MEDIUM] CVE-2016-6636 UAA Open Redirect Vulnerability for Subdomains

Molly Crowther

CVE-2016-6636 UAA Open Redirect Vulnerability for Subdomains


Cloud Foundry Foundation
Versions Affected


Cloud Foundry release v241 and earlier versions

UAA release v2.0.0 - v2.7.4.6, v3.0.0 - v3.4.2

UAA BOSH release v12.3 & earlier versions


Subdomains in the redirect_uri are not properly validated during OAuth
authorization flow, making it possible to obtain implicit access tokens
using a different subdomain in the request. Clients with the implicit
authorization grant type are affected.

OSS users are strongly encouraged to follow one of the mitigations below:


Upgrade to Cloud Foundry v242 [1] or later

For standalone UAA users

For users using UAA Version 3.0.0 - 3.4.2, please upgrade to UAA
Release to v3.7.0[2], v3.4.4[3] or v3.3.0.5[4]

For users using standalone UAA Version 2.X.X, please upgrade to UAA
Release to v2.7.4.7 [5]

For users using UAA bosh release, please upgrade to UAA-Release v16
[6] if upgrading to v3.7.0 [2] ,v12.5 [7] if upgrading to v3.4.4[3] or
v11.5 [8] if upgrading to v3.3.0.5[4]


GE Digital Security Team


[1] https://github.com/cloudfoundry/cf-release/releases/tag/v242

[2] https://github.com/cloudfoundry/uaa/releases/tag/3.7.0

[3] https://github.com/cloudfoundry/uaa/releases/tag/3.4.4

[4] https://github.com/cloudfoundry/uaa/releases/tag/

[5] https://github.com/cloudfoundry/uaa/releases/tag/

[6] https://github.com/cloudfoundry/uaa-release/releases/tag/v16

[7] https://github.com/cloudfoundry/uaa-release/releases/tag/v12.5

[8] https://github.com/cloudfoundry/uaa-release/releases/tag/v11.5


2016-09-26: Initial vulnerability report published

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.