Medium
Cloud Foundry Foundation
Cloud Foundry UAA, all versions in v60.x, v61.x, v62.x, v63.x, and v64.x contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated user with access to one of these accounts may be able to obtain a token for an account of the same username in the other identity provider.
Users of affected versions should apply the following mitigations or upgrades:
* UAA release v66.0
This issue was responsibly reported by the UAA team of Pivotal.
2018-12-10: Initial vulnerability report published.