Description
Cloud Foundry UAA, versions prior to v74.3.0, contains an endpoint that is vulnerable to SCIM injection attack. A remote authenticated malicious user with scim.invite scope can craft a request with malicious content which can leak information about users of the UAA.
CVSS breakdown
CVSS 3.0
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Affected products
- Cloud Foundry / CF DeploymentAll – v12.2.0
- Cloud Foundry / UAA ReleaseAll – v74.3.0