7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-11047

GHSA ID

GHSA-r4v8-9hgx-vm6m

EPSS Score

0.50899%

CWE

CWE-863

Published

5/13/2022

Updated

3/1/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-11047

CVE-2018-11047: Cloud Foundry UAA accepts refresh token as access token on admin endpoints

Cloud Foundry UAA, versions 4.19 prior to 4.19.2 and 4.12 prior to 4.12.4 and 4.10 prior to 4.10.2 and 4.7 prior to 4.7.6 and 4.5 prior to 4.5.7, incorrectly authorizes requests to admin endpoints by accepting a valid refresh token in lieu of an access token. Refresh tokens by design have a longer expiration time than access tokens, allowing the possessor of a refresh token to authenticate longer than expected. This affects the administrative endpoints of the UAA. i.e. /Users, /Groups, etc. However, if the user has been deleted or had groups removed, or the client was deleted, the refresh token will no longer be valid.

(GitHub Advisory)

7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-11047

GHSA ID

GHSA-r4v8-9hgx-vm6m

EPSS Score

0.50899%

CWE

CWE-863

Published

5/13/2022

Updated

3/1/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.cloudfoundry.identity:cloudfoundry-identity-server	maven	< 4.5.7	4.5.7
org.cloudfoundry.identity:cloudfoundry-identity-server	maven	>= 4.6.0, < 4.7.6	4.7.6
org.cloudfoundry.identity:cloudfoundry-identity-server	maven	>= 4.8.0, < 4.10.2	4.10.2
org.cloudfoundry.identity:cloudfoundry-identity-server	maven	>= 4.11.0, < 4.12.4	4.12.4
org.cloudfoundry.identity:cloudfoundry-identity-server	maven	>= 4.13.0, < 4.19.2	4.19.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from UAA's failure to distinguish between access tokens and refresh tokens when authorizing admin endpoints. The patch added JTI claim validation in loadAuthentication() to reject tokens ending with REFRESH_TOKEN_SUFFIX. The pre-patch version of this function lacked these checks, making it the root cause. Multiple test cases in UaaTokenServicesTests.java confirm this was the vulnerable entry point by testing refresh token rejection scenarios.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*lou* *oun*ry U**, v*rsions *.** prior to *.**.* *n* *.** prior to *.**.* *n* *.** prior to *.**.* *n* *.* prior to *.*.* *n* *.* prior to *.*.*, in*orr**tly *ut*oriz*s r*qu*sts to **min *n*points *y ****ptin* * v*li* r**r*s* tok*n in li*u o* *n ****

Reasoning

T** vuln*r**ility st*mm** *rom U**'s **ilur* to *istin*uis* **tw**n ****ss tok*ns *n* r**r*s* tok*ns w**n *ut*orizin* **min *n*points. T** p*t** ***** JTI *l*im v*li**tion in lo***ut**nti**tion() to r*j**t tok*ns *n*in* wit* R**R*S*_TOK*N_SU**IX. T**

7.5

Basic Information

Concerned about an active attack path?

CVE-2018-11047: Cloud Foundry UAA accepts refresh token as access token on admin endpoints

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI