[LOW] CVE-2016-6637 UAA CSRF Vulnerability for OAuth Approvals

Molly Crowther

CVE-2016-6637 UAA CSRF Vulnerability for OAuth Approvals


Cloud Foundry Foundation
Versions Affected


Cloud Foundry release v241 and earlier versions

UAA release v2.0.0 - v2.7.4.6 & v3.0.0 - v3.6.0

UAA bosh release v15 & earlier versions


The profile and authorize approval pages do not contain CSRF tokens, making
an exploit to approve or deny scopes possible.

OSS users are strongly encouraged to follow one of the mitigations below:


Upgrade to Cloud Foundry v242 [1] or later

For standalone UAA users

For users using UAA Version 3.0.0 - 3.6.0, please upgrade to UAA
Release to v3.7.0[2], v3.4.4[3] or v3.3.0.5[4]

For users using standalone UAA Version 2.X.X, please upgrade to UAA
Release to v2.7.4.7 [5]

For users using UAA bosh release, please upgrade to UAA-Release v16
[6] if upgrading to v3.7.0 [2] ,v12.5 [7] if upgrading to v3.4.4[3] or
v11.5 [8] if upgrading to v3.3.0.5[4]


GE Digital Security Team


[1] https://github.com/cloudfoundry/cf-release/releases/tag/v242

[2] https://github.com/cloudfoundry/uaa/releases/tag/3.7.0

[3] https://github.com/cloudfoundry/uaa/releases/tag/3.4.4

[4] https://github.com/cloudfoundry/uaa/releases/tag/

[5] https://github.com/cloudfoundry/uaa/releases/tag/

[6] https://github.com/cloudfoundry/uaa-release/releases/tag/v16

[7] https://github.com/cloudfoundry/uaa-release/releases/tag/v12.5

[8] https://github.com/cloudfoundry/uaa-release/releases/tag/v11.5


2016-09-26: Initial vulnerability report published