Re: [HIGH] CVE-2016-6651: Privilege Escalation in UAA
Hello all,toggle quoted messageShow quoted text
In the interest of full public disclosure, the CFF Security Team would also
like to share some additional information about this vulnerability that
will aid in testing and remediation. Please let us know if you have any
questions or concerns.
Cloud Foundry Foundation Security Team
Description of Vulnerability
The vulnerability exposes an untested parameter that lets any application
add arbitrary scopes (permissions) to an access token.
-H"Accept: Application/json" \
-u "cf:" \
-d "username=<username here>" \
-d "password=<password here>" \
-d "client_id=cf" \
-d "grant_type=password" \
-d "response_type=token" \
A vulnerable system will return the following response:
"access_token": "redacted for readability",
"jti": "redacted for readability",
"refresh_token": "redacted for readability",
"scope": "openid … cloud_controller.test",
cloud_controller.test is an arbitrary string, but may as well be
Applications that perform off-line validation will happily accept the
inserted string as a permission. Applications that use online validations,
i.e. the use of the /check_token UAA API endpoint, are not vulnerable - the
UAA validates the permissions against what’s in the database (uaadb).
A patched system will ignore the external_scopes parameter completely, and
cloud_controller.test will not be returned in the response.
On Mon, Sep 26, 2016 at 11:23 AM, Molly Crowther <mcrowther(a)cloudfoundry.org
CVE-2016-6651: Privilege Escalation in UAA