Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Cloud_foundry_uaa
(Pivotal_software)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 32 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2017-05-25 | CVE-2016-3084 | The UAA reset password flow in Cloud Foundry release v236 and earlier versions, UAA release v3.3.0 and earlier versions, all versions of Login-server, UAA release v10 and earlier versions and Pivotal Elastic Runtime versions prior to 1.7.2 is vulnerable to a brute force attack due to multiple active codes at a given time. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected. | Cloud_foundry_uaa_bosh, Cloud_foundry, Cloud_foundry_elastic_runtime, Cloud_foundry_uaa, Login\-Server | 8.1 | ||
| 2017-06-13 | CVE-2017-4994 | An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v263; UAA release 2.x versions prior to v2.7.4.18, 3.6.x versions prior to v3.6.12, 3.9.x versions prior to v3.9.14, and other versions prior to v4.3.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.16, 24.x versions prior to v24.11, 30.x versions prior to 30.4, and other versions prior to v40. There was an issue with forwarded http headers in UAA that could result in account corruption. | Cloud_foundry_uaa_bosh, Cloud_foundry_cf, Cloud_foundry_uaa | 7.5 | ||
| 2019-07-18 | CVE-2019-3794 | Cloud Foundry UAA, versions prior to v73.4.0, does not set an X-FRAME-OPTIONS header on various endpoints. A remote user can perform clickjacking attacks on UAA's frontend sites. | Cloud_foundry_uaa | 5.4 | ||
| 2018-11-19 | CVE-2018-15761 | Cloud Foundry UAA release, versions prior to v64.0, and UAA, versions prior to 4.23.0, contains a validation error which allows for privilege escalation. A remote authenticated user may modify the url and content of a consent page to gain a token with arbitrary scopes that escalates their privileges. | Cloud_foundry_uaa, Cloudfoundry_uaa_release | 8.8 | ||
| 2019-08-05 | CVE-2019-11270 | Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' and create clients with arbitrary scopes that the creator does not possess. | Application_service, Cloud_foundry_uaa, Operations_manager | 7.5 | ||
| 2017-06-13 | CVE-2017-4963 | An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone release v2.0.0 - v2.7.4.12 & v3.0.0 - v3.11.0, and UAA bosh release v26 & earlier versions. UAA is vulnerable to session fixation when configured to authenticate against external SAML or OpenID Connect based identity providers. | Cloud_foundry_cf\-Release, Cloud_foundry_uaa, Cloud_foundry_uaa\-Release | 8.1 | ||
| 2018-02-01 | CVE-2018-1192 | In Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3, the SessionID is logged in audit event logs. An attacker can use the SessionID to impersonate a logged-in user. | Cloud_foundry_cf\-Deployment, Cloud_foundry_cf\-Release, Cloud_foundry_uaa, Cloud_foundry_uaa\-Release | 8.8 | ||
| 2018-07-24 | CVE-2018-11047 | Cloud Foundry UAA, versions 4.19 prior to 4.19.2 and 4.12 prior to 4.12.4 and 4.10 prior to 4.10.2 and 4.7 prior to 4.7.6 and 4.5 prior to 4.5.7, incorrectly authorizes requests to admin endpoints by accepting a valid refresh token in lieu of an access token. Refresh tokens by design have a longer expiration time than access tokens, allowing the possessor of a refresh token to authenticate longer than expected. This affects the administrative endpoints of the UAA. i.e. /Users, /Groups, etc.... | Cloud_foundry_uaa | 7.5 | ||
| 2018-06-25 | CVE-2018-11041 | Cloud Foundry UAA, versions later than 4.6.0 and prior to 4.19.0 except 4.10.1 and 4.7.5 and uaa-release versions later than v48 and prior to v60 except v55.1 and v52.9, does not validate redirect URL values on a form parameter used for internal UAA redirects on the login page, allowing open redirects. A remote attacker can craft a malicious link that, when clicked, will redirect users to arbitrary websites after a successful login attempt. | Cloud_foundry_uaa, Cloud_foundry_uaa\-Release | 6.1 | ||
| 2017-04-24 | CVE-2016-5016 | Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 12.2 and earlier, PCF (aka Pivotal Cloud Foundry) Elastic Runtime 1.6.x before 1.6.35, and PCF Elastic Runtime 1.7.x before 1.7.13 does not validate if a certificate is expired. | Cloud_foundry, Cloud_foundry_elastic_runtime, Cloud_foundry_uaa, Cloud_foundry_uaa\-Release | 5.9 |