CVE-2020-5402: UAA fails to check the state parameter when authenticating with external IDPs
High
Pivotal
Operations Manager, 2.5 versions prior to 2.5.30, 2.6 versions prior to 2.6.23, 2.7 versions prior to 2.7.13, and 2.8 versions prior to 2.8.4; Pivotal Container Service (PKS), all versions prior to 1.7.0; and VMware Tanzu Application Service for VMs, 2.6.x versions prior to 2.6.16, 2.7.x versions prior to 2.7.10, and 2.8.x versions prior to 2.8.4; through their consumption of Cloud Foundry UAA, are vulnerable to a CSRF exploit due to the OAuth2 state parameter not being checked in the callback function when authenticating with external identity providers.
Severity is high unless otherwise noted.
-
Operations Manager
- 2.5 versions prior to 2.5.30
- 2.6 versions prior to 2.6.23
- 2.7 versions prior to 2.7.13
- 2.8 versions prior to 2.8.4
-
Pivotal Container Service (PKS)
- all versions prior to 1.7.0
-
VMware Tanzu Application Service for VMs
- 2.6.x versions prior to 2.6.16
- 2.7.x versions prior to 2.7.10
- 2.8.x versions prior to 2.8.4
Users of affected versions should apply the following mitigation or upgrade:
-
Operations Manager
- 2.5.30
- 2.6.23
- 2.7.13
- 2.8.4
-
Pivotal Container Service (PKS)
- 1.7.0
-
VMware Tanzu Application Service for VMs
- 2.6.16
- 2.7.10
- 2.8.4
Jonathan Leitschuh
- https://www.cloudfoundry.org/blog/cve-2020-5402
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-5402
2020-04-14: Initial vulnerability report published.