GHSA-Q4Q2-93PW-QWGF

Vulnerability from github – Published: 2022-05-13 01:07 – Updated: 2024-03-04 20:48
VLAI
Summary
Issuer validation regression in Spring Cloud SSO Connector
Details

Spring Cloud SSO Connector, version 2.1.2, contains a regression which disables issuer validation in resource servers that are not bound to the SSO service. In PCF deployments with multiple SSO service plans, a remote attacker can authenticate to unbound resource servers which use this version of the SSO Connector with tokens generated from another service plan.

Mitigation

Users of affected versions should apply the following mitigation: * Releases that have fixed this issue include:

  • Spring Cloud SSO Connector: 2.1.3
* Alternatively, you can perform one of the following workarounds:

  • Bind your resource server to the SSO service plan via a service instance binding
  • Set “sso.connector.cloud.available=true” within your Spring application properties

Severity
8.1 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.pivotal.spring.cloud:spring-cloud-sso-connector"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.2.RELEASE"
            },
            {
              "fixed": "2.1.3.RELEASE"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.1.2.RELEASE"
      ]
    }
  ],
  "aliases": [
    "CVE-2018-1256"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-08T21:04:11Z",
    "nvd_published_at": "2018-05-07T16:22:00Z",
    "severity": "HIGH"
  },
  "details": "Spring Cloud SSO Connector, version 2.1.2, contains a regression which disables issuer validation in resource servers that are not bound to the SSO service. In PCF deployments with multiple SSO service plans, a remote attacker can authenticate to unbound resource servers which use this version of the SSO Connector with tokens generated from another service plan.\n\n### Mitigation\nUsers of affected versions should apply the following mitigation:\n* Releases that have fixed this issue include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSpring Cloud SSO Connector: 2.1.3\u003c/li\u003e\u003c/ul\u003e\n* Alternatively, you can perform \u003cu\u003eone\u003c/u\u003e of the following workarounds:\u003c/p\u003e\u003cul\u003e\u003cli\u003eBind your resource server to the SSO service plan via a service instance binding\u003c/li\u003e\u003cli\u003eSet \u201csso.connector.cloud.available=true\u201d within your Spring application properties\u003c/li\u003e\u003c/ul\u003e\n\n",
  "id": "GHSA-q4q2-93pw-qwgf",
  "modified": "2024-03-04T20:48:59Z",
  "published": "2022-05-13T01:07:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1256"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pivotal-cf/spring-cloud-sso-connector/commit/ef647a2acf2363c6018e8543d665ac8862593372"
    },
    {
      "type": "WEB",
      "url": "https://pivotal.io/security/cve-2018-1256"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Issuer validation regression in Spring Cloud SSO Connector"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.