CVE-2021-22001

Published: Jul 22, 2021Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

In UAA versions prior to 75.3.0, sensitive information like relaying secret of the provider was revealed in response when deletion request of an identity provider( IdP) of type “oauth 1.0” was sent to UAA server.

Affected (2)

Products: Cloudfoundry: Cf Deployment, User Account And Authentication

Cloudfoundry

2 products

Cf Deployment

User Account And Authentication

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Cloudfoundry Cf Deployment	Before 16.18.0
Cloudfoundry User Account And Authentication	Before 75.3.0

Related CWEs

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (2)

https://www.cloudfoundry.org/blog/cve-2021-22001-sensitive-info-leakage-in-uaa-during-identity-provider-deletion/

Source: security@vmware.com

Vendor Advisory

https://www.cloudfoundry.org/blog/cve-2021-22001-sensitive-info-leakage-in-uaa-during-identity-provider-deletion/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.