CVE-2018-1256

Summary

Spring Cloud SSO Connector, version 2.1.2, contains a regression which disables issuer validation in resource servers that are not bound to the SSO service. In PCF deployments with multiple SSO service plans, a remote attacker can authenticate to unbound resource servers which use this version of the SSO Connector with tokens generated from another service plan.

Affected Software

VendorProductVersion RangeStatus
PivotalSpring Cloud SSO Connector2.1.2affected

Weaknesses

  • Improper Access Control

ADP Enrichment

CVE Program Container

Additional References

References