All Vulnerability Reports

CVE-2020-5402: UAA fails to check the state parameter when authenticating with external IDPs

Severity

High

Vendor

Pivotal

Description

Operations Manager, 2.5 versions prior to 2.5.30, 2.6 versions prior to 2.6.23, 2.7 versions prior to 2.7.13, and 2.8 versions prior to 2.8.4; Pivotal Container Service (PKS), all versions prior to 1.7.0; and VMware Tanzu Application Service for VMs, 2.6.x versions prior to 2.6.16, 2.7.x versions prior to 2.7.10, and 2.8.x versions prior to 2.8.4; through their consumption of Cloud Foundry UAA, are vulnerable to a CSRF exploit due to the OAuth2 state parameter not being checked in the callback function when authenticating with external identity providers.

Affected VMware Products and Versions

Severity is high unless otherwise noted.

• Operations Manager
  • 2.5 versions prior to 2.5.30
  • 2.6 versions prior to 2.6.23
  • 2.7 versions prior to 2.7.13
  • 2.8 versions prior to 2.8.4

• Pivotal Container Service (PKS)
  • all versions prior to 1.7.0

• VMware Tanzu Application Service for VMs
  • 2.6.x versions prior to 2.6.16
  • 2.7.x versions prior to 2.7.10
  • 2.8.x versions prior to 2.8.4

Mitigation

Users of affected versions should apply the following mitigation or upgrade:

• Operations Manager
  • 2.5.30
  • 2.6.23
  • 2.7.13
  • 2.8.4

• Pivotal Container Service (PKS)
  • 1.7.0

• VMware Tanzu Application Service for VMs
  • 2.6.16
  • 2.7.10
  • 2.8.4

Credit

Jonathan Leitschuh

References

• https://www.cloudfoundry.org/blog/cve-2020-5402
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-5402

History

2020-04-14: Initial vulnerability report published.