CVE-2017-8031

Description

An issue was discovered in Cloud Foundry Foundation cf-release (all versions prior to v279) and UAA (30.x versions prior to 30.6, 45.x versions prior to 45.4, 52.x versions prior to 52.1). In some cases, the UAA allows an authenticated user for a particular client to revoke client tokens for other users on the same client. This occurs only if the client is using opaque tokens or JWT tokens validated using the check_token endpoint. A malicious actor could cause denial of service.

5.3

CVSS

Severity: Medium

CVSS 3.1 •

CVSS 2.0 •

EPSS 0.42%

Third-Party Advisory securityfocus.com Third-Party Advisory cloudfoundry.org

Affected: n/a cf-release and UAA cf-release: All versions prior to v279, UAA: 30.x versions prior to 30.6, 45.x versions prior to 45.4, 52.x versions prior to 52.1

References

Link	Tags
https://www.cloudfoundry.org/cve-2017-8031/	third party advisory issue tracking
http://www.securityfocus.com/bid/101967	third party advisory vdb entry

Frequently Asked Questions

What is the severity of CVE-2017-8031?: CVE-2017-8031 has been scored as a medium severity vulnerability.
How to fix CVE-2017-8031?: To fix CVE-2017-8031, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2017-8031 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2017-8031 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2017-8031?: CVE-2017-8031 affects n/a cf-release and UAA cf-release: All versions prior to v279, UAA: 30.x versions prior to 30.6, 45.x versions prior to 45.4, 52.x versions prior to 52.1.

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.