OpenCVE

An issue was discovered in Cloud Foundry Foundation cf-release (all versions prior to v279) and UAA (30.x versions prior to 30.6, 45.x versions prior to 45.4, 52.x versions prior to 52.1). In some cases, the UAA allows an authenticated user for a particular client to revoke client tokens for other users on the same client. This occurs only if the client is using opaque tokens or JWT tokens validated using the check_token endpoint. A malicious actor could cause denial of service.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:M/Au:S/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Cloudfoundry	Cf-release Uaa-release

Configuration 1 [-]

OR	cpe:2.3:a:cloudfoundry:cf-release::::::::
	cpe:2.3:a:cloudfoundry:uaa-release::::::::
	cpe:2.3:a:cloudfoundry:uaa-release::::::::
	cpe:2.3:a:cloudfoundry:uaa-release:52:::::::*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/101967
https://www.cloudfoundry.org/cve-2017-8031/

History

No history.

MITRE

Status: PUBLISHED

Assigner: dell

Published: 2017-11-27T10:00:00

Updated: 2024-08-05T16:19:29.544Z

Reserved: 2017-04-21T00:00:00

Link: CVE-2017-8031

Vulnrichment

No data.

NVD

Status : Modified

Published: 2017-11-27T10:29:00.767

Modified: 2024-11-21T03:33:11.150

Link: CVE-2017-8031

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "cf-release and UAA cf-release: All versions prior to v279, UAA: 30.x versions prior to 30.6, 45.x versions prior to 45.4, 52.x versions prior to 52.1", "vendor": "n/a", "versions": [{"status": "affected", "version": "cf-release and UAA cf-release: All versions prior to v279, UAA: 30.x versions prior to 30.6, 45.x versions prior to 45.4, 52.x versions prior to 52.1"}]}], "datePublic": "2017-11-27T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered in Cloud Foundry Foundation cf-release (all versions prior to v279) and UAA (30.x versions prior to 30.6, 45.x versions prior to 45.4, 52.x versions prior to 52.1). In some cases, the UAA allows an authenticated user for a particular client to revoke client tokens for other users on the same client. This occurs only if the client is using opaque tokens or JWT tokens validated using the check_token endpoint. A malicious actor could cause denial of service."}], "problemTypes": [{"descriptions": [{"description": "Denial of Service", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-11-29T10:57:01", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.cloudfoundry.org/cve-2017-8031/"}, {"name": "101967", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/101967"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security_alert@emc.com", "ID": "CVE-2017-8031", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "cf-release and UAA cf-release: All versions prior to v279, UAA: 30.x versions prior to 30.6, 45.x versions prior to 45.4, 52.x versions prior to 52.1", "version": {"version_data": [{"version_value": "cf-release and UAA cf-release: All versions prior to v279, UAA: 30.x versions prior to 30.6, 45.x versions prior to 45.4, 52.x versions prior to 52.1"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Cloud Foundry Foundation cf-release (all versions prior to v279) and UAA (30.x versions prior to 30.6, 45.x versions prior to 45.4, 52.x versions prior to 52.1). In some cases, the UAA allows an authenticated user for a particular client to revoke client tokens for other users on the same client. This occurs only if the client is using opaque tokens or JWT tokens validated using the check_token endpoint. A malicious actor could cause denial of service."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Denial of Service"}]}]}, "references": {"reference_data": [{"name": "https://www.cloudfoundry.org/cve-2017-8031/", "refsource": "CONFIRM", "url": "https://www.cloudfoundry.org/cve-2017-8031/"}, {"name": "101967", "refsource": "BID", "url": "http://www.securityfocus.com/bid/101967"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T16:19:29.544Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.cloudfoundry.org/cve-2017-8031/"}, {"name": "101967", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/101967"}]}]}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2017-8031", "datePublished": "2017-11-27T10:00:00", "dateReserved": "2017-04-21T00:00:00", "dateUpdated": "2024-08-05T16:19:29.544Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cloudfoundry:cf-release:*:*:*:*:*:*:*:*", "matchCriteriaId": "7AE35B61-A146-432F-80F9-BCB030184FB0", "versionEndIncluding": "278", "vulnerable": true}, {"criteria": "cpe:2.3:a:cloudfoundry:uaa-release:*:*:*:*:*:*:*:*", "matchCriteriaId": "722E4FAD-80A1-4705-86FF-A10933424862", "versionEndExcluding": "30.6", "versionStartIncluding": "30", "vulnerable": true}, {"criteria": "cpe:2.3:a:cloudfoundry:uaa-release:*:*:*:*:*:*:*:*", "matchCriteriaId": "B8052FE7-3370-4227-8970-36BABECDADD8", "versionEndExcluding": "45.4", "versionStartIncluding": "45", "vulnerable": true}, {"criteria": "cpe:2.3:a:cloudfoundry:uaa-release:52:*:*:*:*:*:*:*", "matchCriteriaId": "591ACEBD-5EA8-4856-B42E-268CD0C0E8B0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Cloud Foundry Foundation cf-release (all versions prior to v279) and UAA (30.x versions prior to 30.6, 45.x versions prior to 45.4, 52.x versions prior to 52.1). In some cases, the UAA allows an authenticated user for a particular client to revoke client tokens for other users on the same client. This occurs only if the client is using opaque tokens or JWT tokens validated using the check_token endpoint. A malicious actor could cause denial of service."}, {"lang": "es", "value": "Se ha descubierto un problema en Cloud Foundry Foundation cf-release (todas las versiones anteriores a v279) y UAA (versiones 30.x anteriores a la 30.6; versiones 45.x anteriores a la 45.4 y versiones 52.x anteriores a la 52.1). En algunos casos, UAA permite que un usuario autenticado para un cliente particular revoque tokens de cliente para otros usuarios en el mismo cliente. Esto solo ocurre si el cliente est\u00e1 usando tokens opacos o tokens JWT validados empleando el extremo check_token. Un actor malicioso podr\u00eda provocar una denegaci\u00f3n de servicio (DoS)."}], "id": "CVE-2017-8031", "lastModified": "2024-11-21T03:33:11.150", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-11-27T10:29:00.767", "references": [{"source": "security_alert@emc.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/101967"}, {"source": "security_alert@emc.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://www.cloudfoundry.org/cve-2017-8031/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/101967"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://www.cloudfoundry.org/cve-2017-8031/"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}