Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' and create clients with arbitrary scopes that the creator does not possess.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NPivotal Software Application Service
APPPivotal Software2.3.0 – 2.3.15 (bez)2.4.0 – 2.4.11 (bez)2.5.0 – 2.5.7 (bez)2.6.0 – 2.6.2 (bez)Pivotal Software Cloud Foundry Uaa
APPPivotal Software< 73.4.0Pivotal Software Operations Manager
APPPivotal Software2.3.0 – 2.3.22 (bez)2.4.0 – 2.4.16 (bez)2.5.0 – 2.5.10 (bez)2.6.0 – 2.6.4 (bez)
Related vulnerabilities
Pivotal Apps Manager Release, versions 665.0.x prior to 665.0.28, versions 666.0.x prior to 666.0.21, versions...
Cloud Foundry UAA release, versions prior to v64.0, and UAA, versions prior to 4.23.0, contains a validation e...
Pivotal Operations Manager, versions 2.0.x prior to 2.0.24, versions 2.1.x prior to 2.1.15, versions 2.2.x pri...
The password change functionality in Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivota...
Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime...