Authentication Bypass Affecting io.pivotal.spring.cloud:spring-cloud-sso-connector Open this link in a new tab package, versions [2.1.2.RELEASE,2.1.3.RELEASE)

Attack Complexity

High
Confidentiality

High
Integrity

High
Availability

High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

snyk-id

SNYK-JAVA-IOPIVOTALSPRINGCLOUD-32256
published

10 May 2018
disclosed

30 Apr 2018
credit

Unknown

Report a new vulnerability Found a mistake?

Introduced: 30 Apr 2018

CVE-2018-1256 Open this link in a new tab CWE-592 Open this link in a new tab

How to fix?

Upgrade io.pivotal.spring.cloud:spring-cloud-sso-connector to version 2.1.3 or higher.

Overview

io.pivotal.spring.cloud:spring-cloud-sso-connector is a Spring Cloud Connector for use with the Pivotal Single Sign-On Service on Cloud Foundry.

Affected versions of this package are vulnerable to Authentication Bypass. It disables issuer validation in resource servers that are not bound to the SSO service. A remote attacker can authenticate to unbound resource servers which use this version of the SSO Connector with tokens generated from another service plan.

References

Pivotal Security Advisory

Authentication Bypass Affecting io.pivotal.spring.cloud:spring-cloud-sso-connector Open this link in a new tab package, versions [2.1.2.RELEASE,2.1.3.RELEASE)

Attack Complexity

Confidentiality

Integrity

Availability

snyk-id

published

disclosed

credit

Introduced: 30 Apr 2018

How to fix?

Overview

References