CVE-2016-0781 UAA Persistent XSS Vulnerability
Severity
Low
Vendor
Cloud Foundry Foundation, Pivotal Cloud Foundry
Versions Affected
- Cloud Foundry v208 through v231
- Login-server v1.6 - v1.14
- UAA v2.0.0 - v2.7.4.1 & v3.0.0 - v3.2.0
- UAA-Release v2 - v7
- Pivotal Elastic Runtime 1.6.x versions prior to 1.6.20
Description
The UAA OAuth approval pages are vulnerable to an XSS attack by specifying malicious java script content in either the OAuth scopes (SCIM groups) or SCIM group descriptions.
Mitigation
OSS users are strongly encouraged to follow one of the mitigations below:
- Upgrade to Cloud Foundry v233 [1] or later (cf-release v232 is not recommended for use)
- For standalone UAA users
- For users using UAA Version 3.0.0, please upgrade to UAA Release to v3.2.1 [3] or later
- For users using standalone UAA Version 2.X.X, please upgrade to UAA Release to v2.7.4.2 [2] or v3.2.1 [3]
- For users using standalone login-server 1.X, please upgrade to UAA Release to v2.7.4.2 [2] or v3.2.1 [3]
- For users using UAA-Release (UAA bosh release), please upgrade to UAA-Release v8 [4]
Pivotal Cloud Foundry users of affected versions are encouraged to follow the mitigation below:
- Upgrade Pivotal Elastic Runtime 1.6.x versions to 1.6.20
Credit
GE Digital Security Team
References
- [1] https://github.com/cloudfoundry/cf-release/releases/tag/v233
- [2] https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.2
- [3] https://github.com/cloudfoundry/uaa/releases/tag/3.2.1
- [4] https://github.com/cloudfoundry/uaa-release/releases/tag/v8
History
2016-Mar-23: Initial vulnerability report published