{"id":"CVE-2018-15754","details":"Cloud Foundry UAA, versions 60 prior to 66.0, contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated user with access to one of these accounts may be able to obtain a token for an account of the same username in the other identity provider.","modified":"2026-04-10T04:06:20.356253Z","published":"2018-12-13T22:29:00.280Z","references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/106240"},{"type":"ADVISORY","url":"https://www.cloudfoundry.org/blog/cve-2018-15754"},{"type":"ADVISORY","url":"https://www.cloudfoundry.org/blog/cve-2018-15754/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cloudfoundry/uaa-release","events":[{"introduced":"0"},{"fixed":"4e675abc1f6d7c24dc2856de11fad3183f86348b"}],"database_specific":{"versions":[{"introduced":"60.0"},{"fixed":"66.0"}]}}],"versions":["ci-upgrade","v10","v11","v12","v12.3","v14","v15","v16","v17","v18","v19","v2","v20","v21","v22","v23","v24","v25","v26","v27","v3","v31","v53","v55","v56","v57","v58","v59","v6","v60","v61.0","v62.0","v63.0","v64.0","v7","v8","v9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-15754.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}