GoogleOSV:GHSA-XG5V-696H-C3VRCloud Foundry UAA SessionID present in Audit Event Logs
In Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3, the SessionID is logged in audit event logs. An attacker can use the SessionID to impersonate a logged-in user.
References
github.com/cloudfoundry/uaa
github.com/cloudfoundry/uaa/commit/1f529fcb43fd200cab10587e889343ef1683c6e6
github.com/cloudfoundry/uaa/commit/599391fe5d564c7e4860b8a6ec17cda872a822a3
github.com/cloudfoundry/uaa/commit/a61bfabbad22f646ecf1f00016b448b26a60daf
nvd.nist.gov/vuln/detail/CVE-2018-1192
www.cloudfoundry.org/blog/cve-2018-1192
Related
