Cloudflare CASB Confused Deputy Problem

Cloudflare CASB on a select number of integrations, Microsoft and GitHub, was vulnerable to the confused deputy problem. If an attacker, via a brute force attack or another mechanism, was able to enumerate a valid Microsoft tenant UUID or Microsoft domain, or GitHub installation_id that an existing Cloudflare CASB customer had integrated with, then the attacker would have been able to create a new integration which could surface sensitive information. Cloudflare's CASB engineering team rapidly implemented a fix to disallow the ability to create multiple integrations pointing to the same tenant, thus nullifying the attack as an option. Moreover, an internal investigation did not show impact to any customer data (outside of the reporting researcher's accounts).