Headline
CVE-2023-20903: CVE-2023-20903 - Tokens for inactivated IDPs are not revoked and remain valid until expiration | Cloud Foundry
This disclosure regards a vulnerability related to UAA refresh tokens and external identity providers.Assuming that an external identity provider is linked to the UAA, a refresh token is issued to a client on behalf of a user from that identity provider, the administrator of the UAA deactivates the identity provider from the UAA. It is expected that the UAA would reject a refresh token during a refresh token grant, but it does not (hence the vulnerability). It will continue to issue access tokens to request presenting such refresh tokens, as if the identity provider was still active. As a result, clients with refresh tokens issued through the deactivated identity provider would still have access to Cloud Foundry resources until their refresh token expires (which defaults to 30 days).
Disclosure****Severity
CVSS score: 2.7 (Low)
Vendor
Cloud Foundry Foundation
Versions Affected
All versions
Description
This disclosure regards a vulnerability related to UAA refresh tokens and external identity providers.
Assuming that:
- an external identity provider is linked to the UAA
- a refresh token is issued to a client on behalf of a user from that identity provider
- the administrator of the UAA deactivates the identity provider from the UAA
It is expected that the UAA would reject a refresh token during a refresh token grant, but it does not (hence the vulnerability). It will continue to issue access tokens to request presenting such refresh tokens, as if the identity provider was still active.
As a result, clients with refresh tokens issued through the deactivated identity provider would still have access to Cloud Foundry resources until their refresh token expires (which defaults to 30 days).
Affected Cloud Foundry Products and Versions
*Severity is 2.7 unless otherwise noted.
- UAA
- all supported releases
Mitigation
Users of Cloud Foundry and UAA are encouraged to follow the mitigations below.
When updating an identity provider’s setting in the UAA to become inactive (set “active” to “false”), if you expect all tokens to be revoked, you should revoke them manually by calling one of the endpoints for revoking tokens.
At this time this notice is provided for your information only. Users are encouraged to apply the mitigation to their UAA identity provider management process.
Credit
This issue was responsibly reported by Florian Tack (SAP)
History
2023-03-20: Initial vulnerability report published.
Sign up for the
Cloud Foundry Newsletter today!