CVE-2023-20903

CVE-2023-20903 is a medium-severity vulnerability in Cloudfoundry User Account And Authentication with a CVSS 3.x base score of 4.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-613.

Key facts

Description

This disclosure regards a vulnerability related to UAA refresh tokens and external identity providers.Assuming that an external identity provider is linked to the UAA, a refresh token is issued to a client on behalf of a user from that identity provider, the administrator of the UAA deactivates the identity provider from the UAA. It is expected that the UAA would reject a refresh token during a refresh token grant, but it does not (hence the vulnerability). It will continue to issue access tokens to request presenting such refresh tokens, as if the identity provider was still active. As a result, clients with refresh tokens issued through the deactivated identity provider would still have access to Cloud Foundry resources until their refresh token expires (which defaults to 30 days).

Frequently asked questions

What is CVE-2023-20903?
This disclosure regards a vulnerability related to UAA refresh tokens and external identity providers.Assuming that an external identity provider is linked to the UAA, a refresh token is issued to a client on behalf of a user from that identity provider, the administrator of the UAA deactivates the identity provider from the UAA. It is expected that the UAA would reject a refresh token during a refresh token grant, but it does not (hence the vulnerability). It will continue to issue access tokens to request presenting such refresh tokens, as if the identity provider was still active. As a result, clients with refresh tokens issued through the deactivated identity provider would still have access to Cloud Foundry resources until their refresh token expires (which defaults to 30 days).
How severe is CVE-2023-20903?
CVE-2023-20903 has a CVSS 3.x base score of 4.3, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
Is CVE-2023-20903 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (32nd percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2023-20903?
CVE-2023-20903 affects Cloudfoundry User Account And Authentication. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2023-20903?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
When was CVE-2023-20903 published?
CVE-2023-20903 was published on 2023-03-28 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Cloudfoundry User Account And Authentication

All CVEs affecting Cloudfoundry User Account And Authentication →

Other CWE-613 (Insufficient Session Expiration) vulnerabilities

Browse all CWE-613 (Insufficient Session Expiration) vulnerabilities →