CVE-2018-15754 | UAA can issue tokens across identity providers if users with matching usernames exist
Cloud Foundry UAA, versions 60 prior to 66.0, contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated user with access to one of these accounts may be able to obtain a token for an account of the same username in the other identity provider.
Conclusion & alert: CVE-2018-15754 is rated Moderate Risk (44.5/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 1.78%).Core evidence: EPSS rose +1.36% over the last day, indicating growing attacker interest.Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
Exploit prediction scoring system (EPSS) score for CVE-2018-15754
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).