All Vulnerability Reports

CVE-2018-15754: UAA issues tokens across identity providers if users with matching usernames exist




Cloud Foundry


Cloud Foundry UAA Release, versions v60 prior to v66.0, contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated user with access to one of these accounts may be able to obtain a token for an account of the same username in the other identity provider.

Affected VMware Products and Versions

Severity is medium unless otherwise noted.

  • Pivotal Application Service
    • 2.2.x prior to 2.2.11
    • 2.3.x prior to 2.3.5
  • Pivotal Operations Manager
    • 2.3.x prior to 2.3.8
    • 2.4.x prior to 2.4.2


Users of affected versions should apply the following mitigation:

  • Pivotal Application Service
    • 2.2.11
    • 2.3.5
  • Pivotal Operations Manager
    • 2.3.8
    • 2.4.2



2018-12-10: Initial vulnerability report published.