CVE-2018-1192
Severity CVSS v4.0:
Pending analysis
Type:
CWE-200
Information Leak / Disclosure
Publication date:
01/02/2018
Last modified:
28/02/2018
Description
In Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3, the SessionID is logged in audit event logs. An attacker can use the SessionID to impersonate a logged-in user.
Impact
Base Score 3.x
8.80
Severity 3.x
HIGH
Base Score 2.0
6.50
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:pivotal_software:cloud_foundry_uaa:*:*:*:*:*:*:*:* | 4.5.0 (including) | 4.5.5 (excluding) |
| cpe:2.3:a:pivotal_software:cloud_foundry_uaa:*:*:*:*:*:*:*:* | 4.7.0 (including) | 4.7.4 (excluding) |
| cpe:2.3:a:pivotal_software:cloud_foundry_uaa:*:*:*:*:*:*:*:* | 4.8.0 (including) | 4.8.3 (excluding) |
| cpe:2.3:a:pivotal_software:cloud_foundry_uaa-release:45.7:*:*:*:*:*:*:* | ||
| cpe:2.3:a:pivotal_software:cloud_foundry_uaa-release:52.7:*:*:*:*:*:*:* | ||
| cpe:2.3:a:pivotal_software:cloud_foundry_uaa-release:53.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:pivotal_software:cloud_foundry_cf-release:*:*:*:*:*:*:*:* | 285 (excluding) | |
| cpe:2.3:a:pivotal_software:cloud_foundry_cf-deployment:*:*:*:*:*:*:*:* | 1.7 (excluding) |
To consult the complete list of CPE names with products and versions, see this page