Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
This disclosure regards a vulnerability related to UAA refresh tokens and external identity providers.Assuming that an external identity provider is linked to the UAA, a refresh token is issued to a client on behalf of a user from that identity provider, the administrator of the UAA deactivates the identity provider from the UAA. It is expected that the UAA would reject a refresh token during a refresh token grant, but it does not (hence the vulnerability). It will continue to issue access tokens to request presenting such refresh tokens, as if the identity provider was still active. As a result, clients with refresh tokens issued through the deactivated identity provider would still have access to Cloud Foundry resources until their refresh token expires (which defaults to 30 days).
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
Cloud Foundry UAA代码问题漏洞
Vulnerability Description
Cloud Foundry UAA是美国Cloud Foundry基金会的一款应用于CloudFoundry云平台的身份验证和管理服务终端。 UAA所有受支持版本存在安全漏洞,该漏洞源于系统即使停用 IDP 令牌也不会被吊销,并且在到期前一直有效,客户端仍然可以访问 Cloud Foundry 资源。
CVSS Information
N/A
Vulnerability Type
N/A