In Cloud Controller versions before 1.46.0, cf-deployment versions before 1.3.0, and cf-release versions before 283, Cloud Controller accepts refresh tokens for authentication where access tokens are expected. This exposes a vulnerability where a refresh token that would otherwise be insufficient to obtain an access token, either due to lack of client credentials or revocation, would allow authentication.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
cloudfoundry cf-release |
||
cloudfoundry cf-deployment |
||
cloudfoundry capi-release |