CVE-2018-1190 - OpenCVE

An issue was discovered in these Pivotal Cloud Foundry products: all versions prior to cf-release v270, UAA v3.x prior to v3.20.2, and UAA bosh v30.x versions prior to v30.8 and all other versions prior to v45.0. A cross-site scripting (XSS) attack is possible in the clientId parameter of a request to the UAA OpenID Connect check session iframe endpoint used for single logout session management.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Cloudfoundry	Cf-release
Pivotal	Uaa Uaa Bosh

Configuration 1 [-]

OR	cpe:2.3:a:cloudfoundry:cf-release::::::::
	cpe:2.3:a:pivotal:uaa::::::::
	cpe:2.3:a:pivotal:uaa_bosh::::::::

No data.

References

Link	Providers
http://www.securityfocus.com/bid/102427
https://www.cloudfoundry.org/cve-2018-1190/

History

No history.

MITRE

Status: PUBLISHED

Assigner: dell

Published: 2018-01-04T06:00:00

Updated: 2024-08-05T03:51:48.920Z

Reserved: 2017-12-06T00:00:00

Link: CVE-2018-1190

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2018-01-04T06:29:00.467

Modified: 2021-05-25T11:46:37.777

Link: CVE-2018-1190

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Pivotal Cloud Foundry products: all versions prior to cf-release v270, UAA v3.x prior to v3.20.2, and UAA bosh v30.x versions prior to v30.8 and all other versions prior to v45.0", "vendor": "n/a", "versions": [{"status": "affected", "version": "Pivotal Cloud Foundry products: all versions prior to cf-release v270, UAA v3.x prior to v3.20.2, and UAA bosh v30.x versions prior to v30.8 and all other versions prior to v45.0"}]}], "datePublic": "2018-01-04T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered in these Pivotal Cloud Foundry products: all versions prior to cf-release v270, UAA v3.x prior to v3.20.2, and UAA bosh v30.x versions prior to v30.8 and all other versions prior to v45.0. A cross-site scripting (XSS) attack is possible in the clientId parameter of a request to the UAA OpenID Connect check session iframe endpoint used for single logout session management."}], "problemTypes": [{"descriptions": [{"description": "Cross-site Scripting", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-01-06T10:57:01", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"name": "102427", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/102427"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.cloudfoundry.org/cve-2018-1190/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security_alert@emc.com", "ID": "CVE-2018-1190", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Pivotal Cloud Foundry products: all versions prior to cf-release v270, UAA v3.x prior to v3.20.2, and UAA bosh v30.x versions prior to v30.8 and all other versions prior to v45.0", "version": {"version_data": [{"version_value": "Pivotal Cloud Foundry products: all versions prior to cf-release v270, UAA v3.x prior to v3.20.2, and UAA bosh v30.x versions prior to v30.8 and all other versions prior to v45.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in these Pivotal Cloud Foundry products: all versions prior to cf-release v270, UAA v3.x prior to v3.20.2, and UAA bosh v30.x versions prior to v30.8 and all other versions prior to v45.0. A cross-site scripting (XSS) attack is possible in the clientId parameter of a request to the UAA OpenID Connect check session iframe endpoint used for single logout session management."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross-site Scripting"}]}]}, "references": {"reference_data": [{"name": "102427", "refsource": "BID", "url": "http://www.securityfocus.com/bid/102427"}, {"name": "https://www.cloudfoundry.org/cve-2018-1190/", "refsource": "CONFIRM", "url": "https://www.cloudfoundry.org/cve-2018-1190/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:51:48.920Z"}, "title": "CVE Program Container", "references": [{"name": "102427", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/102427"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.cloudfoundry.org/cve-2018-1190/"}]}]}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2018-1190", "datePublished": "2018-01-04T06:00:00", "dateReserved": "2017-12-06T00:00:00", "dateUpdated": "2024-08-05T03:51:48.920Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cloudfoundry:cf-release:*:*:*:*:*:*:*:*", "matchCriteriaId": "9082B432-BB81-4AF8-A422-B4D3EF2E5B8D", "versionEndIncluding": "269", "vulnerable": true}, {"criteria": "cpe:2.3:a:pivotal:uaa:*:*:*:*:*:*:*:*", "matchCriteriaId": "0C185209-47E9-41E1-8DDA-00144F5A06E0", "versionEndIncluding": "3.20.1", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pivotal:uaa_bosh:*:*:*:*:*:*:*:*", "matchCriteriaId": "2582ECE3-3F3F-4CC2-A4DB-799C165E33F1", "versionEndIncluding": "44", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in these Pivotal Cloud Foundry products: all versions prior to cf-release v270, UAA v3.x prior to v3.20.2, and UAA bosh v30.x versions prior to v30.8 and all other versions prior to v45.0. A cross-site scripting (XSS) attack is possible in the clientId parameter of a request to the UAA OpenID Connect check session iframe endpoint used for single logout session management."}, {"lang": "es", "value": "Se ha encontrado un problema en los siguientes productos Pivotal Cloud Foundry: todas las versiones anteriores a cf-release v270, UAA v3.x anteriores a la v3.20.2 y UAA bosh v30.x en versiones anteriores al a v30.8 y todas las dem\u00e1s versiones anteriores a la v45.0. Es posible un ataque Cross-Site Scripting (XSS) en el par\u00e1metro clientId de una petici\u00f3n al endpoint UAA OpenID Connect check session iframe utilizado para gestionar las sesiones Single-Logout."}], "id": "CVE-2018-1190", "lastModified": "2021-05-25T11:46:37.777", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-01-04T06:29:00.467", "references": [{"source": "security_alert@emc.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/102427"}, {"source": "security_alert@emc.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://www.cloudfoundry.org/cve-2018-1190/"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}