CVE-2018-1195

Summary

In Cloud Controller versions prior to 1.46.0, cf-deployment versions prior to 1.3.0, and cf-release versions prior to 283, Cloud Controller accepts refresh tokens for authentication where access tokens are expected. This exposes a vulnerability where a refresh token that would otherwise be insufficient to obtain an access token, either due to lack of client credentials or revocation, would allow authentication.

Affected Software

VendorProductVersion RangeStatus
Dell EMCCloud ControllerYou are using Cloud Controller version prior to 1.46.0affected
Dell EMCCloud ControllerYou are using cf-deployment version prior to 1.3.0affected
Dell EMCCloud ControllerYou are using cf-release version prior to 283affected

Weaknesses

  • API will accept a refresh token for authentication

ADP Enrichment

CVE Program Container

Additional References

References