CVE-2020-5402: UAA fails to check the state parameter when authenticating with external IDPs
Severity
High
Vendor
Pivotal
Description
Operations Manager, 2.5 versions prior to 2.5.30, 2.6 versions prior to 2.6.23, 2.7 versions prior to 2.7.13, and 2.8 versions prior to 2.8.4; Pivotal Container Service (PKS), all versions prior to 1.7.0; and VMware Tanzu Application Service for VMs, 2.6.x versions prior to 2.6.16, 2.7.x versions prior to 2.7.10, and 2.8.x versions prior to 2.8.4; through their consumption of Cloud Foundry UAA, are vulnerable to a CSRF exploit due to the OAuth2 state parameter not being checked in the callback function when authenticating with external identity providers.
Affected VMware Products and Versions
Severity is high unless otherwise noted.
-
Operations Manager
- 2.5 versions prior to 2.5.30
- 2.6 versions prior to 2.6.23
- 2.7 versions prior to 2.7.13
- 2.8 versions prior to 2.8.4
-
Pivotal Container Service (PKS)
- all versions prior to 1.7.0
-
VMware Tanzu Application Service for VMs
- 2.6.x versions prior to 2.6.16
- 2.7.x versions prior to 2.7.10
- 2.8.x versions prior to 2.8.4
Mitigation
Users of affected versions should apply the following mitigation or upgrade:
-
Operations Manager
- 2.5.30
- 2.6.23
- 2.7.13
- 2.8.4
-
Pivotal Container Service (PKS)
- 1.7.0
-
VMware Tanzu Application Service for VMs
- 2.6.16
- 2.7.10
- 2.8.4
Credit
Jonathan Leitschuh
References
- https://www.cloudfoundry.org/blog/cve-2020-5402
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-5402
History
2020-04-14: Initial vulnerability report published.