{"id":"CVE-2018-11082","details":"Cloud Foundry UAA, all versions prior to 4.20.0 and Cloud Foundry UAA Release, all versions prior to 61.0, allows brute forcing of MFA codes. A remote unauthenticated malicious user in possession of a valid username and password can brute force MFA to login as the targeted user.","modified":"2026-04-10T04:04:18.968852Z","published":"2018-10-05T21:29:00.637Z","references":[{"type":"ADVISORY","url":"https://www.cloudfoundry.org/blog/cve-2018-11082/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cloudfoundry/uaa","events":[{"introduced":"0"},{"fixed":"8461b60b5e314abeaae6b3a33418f61c2a1d773f"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.20.0"}]}},{"type":"GIT","repo":"https://github.com/cloudfoundry/uaa-release","events":[{"introduced":"0"},{"fixed":"6f17e8c2a1dbdef26569792641d375896cc7cd12"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"61.0"}]}}],"versions":["1.0.1","1.0.3","1.1","1.1.1","1.1.2","1.2.0","1.2.6","1.4.0","1.4.1","1.4.2","1.4.3","1.4.5","1.4.6","1.4.7","1.5.0","1.5.2","1.5.2.1","1.5.3","1.5.4","1.5.4.1","1.6.1","1.6.2","1.8.0","4.10.0","4.11.0","4.12.0","4.15.0","4.16.0","4.17.0","4.18.0","4.19.0","4.9.0","ci-upgrade","releases/4.15.0","travis-success-1475","travis-success-1478","travis-success-1497","v10","v11","v12","v12.3","v14","v15","v16","v17","v18","v19","v2","v20","v21","v22","v23","v24","v25","v26","v27","v3","v31","v53","v55","v56","v57","v58","v59","v6","v60","v7","v8","v9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-11082.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}