Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Cloud_foundry_elastic_runtime
(Pivotal_software)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 28 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2017-06-13 | CVE-2017-2773 | An issue was discovered in Pivotal PCF Elastic Runtime 1.6.x versions prior to 1.6.60, 1.7.x versions prior to 1.7.41, 1.8.x versions prior to 1.8.23, and 1.9.x versions prior to 1.9.1. Incomplete validation logic in JSON Web Token (JWT) libraries can allow unprivileged attackers to impersonate other users in multiple components included in PCF Elastic Runtime, aka an "Unauthenticated JWT signing algorithm in multiple components" issue. | Cloud_foundry_elastic_runtime | 9.8 | ||
| 2018-03-29 | CVE-2016-6658 | Applications in cf-release before 245 can be configured and pushed with a user-provided custom buildpack using a URL pointing to the buildpack. Although it is not recommended, a user can specify a credential in the URL (basic auth or OAuth) to access the buildpack through the CLI. For example, the user could include a GitHub username and password in the URL to access a private repo. Because the URL to access the buildpack is stored unencrypted, an operator with privileged access to the Cloud... | Cf\-Release, Cloud_foundry_elastic_runtime | 9.6 | ||
| 2016-12-16 | CVE-2016-6657 | An open redirect vulnerability has been detected with some Pivotal Cloud Foundry Elastic Runtime components. Users of affected versions should apply the following mitigation: Upgrade PCF Elastic Runtime 1.8.x versions to 1.8.12 or later. Upgrade PCF Ops Manager 1.7.x versions to 1.7.18 or later and 1.8.x versions to 1.8.10 or later. | Cloud_foundry_elastic_runtime, Cloud_foundry_ops_manager | 7.4 | ||
| 2017-04-24 | CVE-2016-5016 | Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 12.2 and earlier, PCF (aka Pivotal Cloud Foundry) Elastic Runtime 1.6.x before 1.6.35, and PCF Elastic Runtime 1.7.x before 1.7.13 does not validate if a certificate is expired. | Cloud_foundry, Cloud_foundry_elastic_runtime, Cloud_foundry_uaa, Cloud_foundry_uaa\-Release | 5.9 | ||
| 2017-05-02 | CVE-2016-5006 | The Cloud Controller in Cloud Foundry before 239 logs user-provided service objects at creation, which allows attackers to obtain sensitive user credential information via unspecified vectors. | Cloud_foundry, Cloud_foundry_elastic_runtime | 9.8 | ||
| 2016-09-18 | CVE-2016-0927 | Cross-site scripting (XSS) vulnerability in Pivotal Cloud Foundry (PCF) Ops Manager before 1.6.17 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | Cloud_foundry_elastic_runtime | 6.1 | ||
| 2016-09-18 | CVE-2016-0926 | Cross-site scripting (XSS) vulnerability in Apps Manager in Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.32 and 1.7.x before 1.7.8 allows remote attackers to inject arbitrary web script or HTML via unspecified input that improperly interacts with the AngularJS framework. | Cloud_foundry_elastic_runtime | 6.1 | ||
| 2016-09-18 | CVE-2016-0896 | Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.34 and 1.7.x before 1.7.12 places 169.254.0.0/16 in the all_open Application Security Group, which might allow remote attackers to bypass intended network-connectivity restrictions by leveraging access to the 169.254.169.254 address. | Cloud_foundry_elastic_runtime | 7.3 |