org.cloudfoundry.identity:cloudfoundry-identity-common@2.7.4.6 vulnerabilities

org.cloudfoundry.identity:cloudfoundry-identity-common is a CloudFoundry Identity Common package.

Affected versions of this package are vulnerable to Session Fixation, via the User Account and Authentication (UAA). When UAA is configured to authenticate against external SAML or OpenID Connect based identity providers.

Upgrade org.cloudfoundry.identity:cloudfoundry-identity-common to version 2.7.4.13 or higher.

org.cloudfoundry.identity:cloudfoundry-identity-common is a CloudFoundry Identity Common package.

Affected versions of this package are vulnerable to SQL Injection, via the User Account and Authentication (UAA). The vulnerability occurs due to client_id string was not properly validated.

There is no fixed version for org.cloudfoundry.identity:cloudfoundry-identity-common.

org.cloudfoundry.identity:cloudfoundry-identity-common is a CloudFoundry Identity Common package.

Affected versions of this package are vulnerable to SQL Injection via the User Account and Authentication (UAA).

There is no fixed version for org.cloudfoundry.identity:cloudfoundry-identity-common.

org.cloudfoundry.identity:cloudfoundry-identity-common The UAA /oauth/token endpoint in Pivotal Cloud Foundry (PCF) before 243; UAA 2.x before 2.7.4.8, 3.x before 3.3.0.6, and 3.4.x before 3.4.5; UAA BOSH before 11.7 and 12.x before 12.6; Elastic Runtime before 1.6.40, 1.7.x before 1.7.21, and 1.8.x before 1.8.2; and Ops Manager 1.7.x before 1.7.13 and 1.8.x before 1.8.1 allows remote authenticated users to gain privileges by leveraging possession of a token.