Product:

Cloud_foundry_uaa

(Pivotal_software)
Repositories

Unknown:

This might be proprietary software.

#Vulnerabilities 32
Date Id Summary Products Score Patch Annotated
2017-06-13 CVE-2017-4972 An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v257; UAA release 2.x versions prior to v2.7.4.14, 3.6.x versions prior to v3.6.8, 3.9.x versions prior to v3.9.10, and other versions prior to v3.15.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.12, 24.x versions prior to v24.7, and other versions prior to v30. An attacker can use a blind SQL injection attack to query the contents of the UAA database. Cf\-Release, Cloud_foundry_uaa_bosh, Cloud_foundry_uaa 7.5
2017-06-13 CVE-2017-4991 An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v260; UAA release 2.x versions prior to v2.7.4.16, 3.6.x versions prior to v3.6.10, 3.9.x versions prior to v3.9.12, and other versions prior to v3.17.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.14, 24.x versions prior to v24.9, 30.x versions prior to 30.2, and other versions prior to v36. Privileged users in one zone are allowed to perform a password reset for users in a different zone. Cf\-Release, Cloud_foundry_uaa_bosh, Cloud_foundry_uaa 7.2
2017-06-13 CVE-2017-4992 An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v261; UAA release 2.x versions prior to v2.7.4.17, 3.6.x versions prior to v3.6.11, 3.9.x versions prior to v3.9.13, and other versions prior to v4.2.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.15, 24.x versions prior to v24.10, 30.x versions prior to 30.3, and other versions prior to v37. There is privilege escalation (arbitrary password reset) with user invitations. Cf\-Release, Cloud_foundry_uaa_bosh, Cloud_foundry_uaa 9.8
2017-05-25 CVE-2015-3189 With Cloud Foundry Runtime cf-release versions v208 or earlier, UAA Standalone versions 2.2.5 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier, old Password Reset Links are not expired after the user changes their current email address to a new one. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected. Cf\-Release, Cloud_foundry_elastic_runtime, Cloud_foundry_uaa 3.7
2017-05-25 CVE-2015-3190 With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA Standalone versions 2.2.6 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier the UAA logout link is susceptible to an open redirect which allows an attacker to insert malicious web page as a redirect parameter. Cf\-Release, Cloud_foundry_elastic_runtime, Cloud_foundry_uaa 6.1
2017-05-25 CVE-2015-3191 With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA Standalone versions 2.2.6 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier the change_email form in UAA is vulnerable to a CSRF attack. This allows an attacker to trigger an e-mail change for a user logged into a cloud foundry instance via a malicious link on a attacker controlled site. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for... Cf\-Release, Cloud_foundry_elastic_runtime, Cloud_foundry_uaa 8.8
2017-10-24 CVE-2015-5170 Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow remote attackers to conduct cross-site request forgery (CSRF) attacks on PWS and log a user into an arbitrary account by leveraging lack of CSRF checks. Cf\-Release, Cloud_foundry_elastic_runtime, Cloud_foundry_uaa 8.8
2017-10-24 CVE-2015-5171 The password change functionality in Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire existing sessions. Cf\-Release, Cloud_foundry_elastic_runtime, Cloud_foundry_uaa 9.8
2017-10-24 CVE-2015-5172 Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire password reset links. Cf\-Release, Cloud_foundry_elastic_runtime, Cloud_foundry_uaa 9.8
2017-10-24 CVE-2015-5173 Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact via vectors involving emails with password recovery links, aka "Cross Domain Referer Leakage." Cf\-Release, Cloud_foundry_elastic_runtime, Cloud_foundry_uaa 8.8