Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Bosh accepts refresh tokens in place of an access token
Vulnerability Description
Cloud Foundry BOSH, versions v264 prior to v264.14.0 and v265 prior to v265.7.0 and v266 prior to v266.8.0 and v267 prior to v267.2.0, allows refresh tokens to be as access tokens when using UAA for authentication. A remote attacker with an admin refresh token given by UAA can be used to access BOSH resources without obtaining an access token, even if their user no longer has access to those resources.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
Cloud Foundry BOSH 授权问题漏洞
Vulnerability Description
Cloud Foundry BOSH中存在安全漏洞,该漏洞源于在使用UAA进行身份验证时程序允许将refresh令牌当作access令牌使用。远程攻击者可借助admin refresh令牌利用该漏洞访问BOSH资源。以下版本受到影响:Cloud Foundry BOSH 264.14.0之前的264版本,265.7.0之前的265版本,266.8.0之前的266版本,267.2.0之前的267版本。
CVSS Information
N/A
Vulnerability Type
N/A