CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2016-0708
https://notcve.org/view.php?id=CVE-2016-0708
11 Jul 2018 — Applications deployed to Cloud Foundry, versions v166 through v227, may be vulnerable to a remote disclosure of information, including, but not limited to environment variables and bound service details. For applications to be vulnerable, they must have been staged using automatic buildpack detection, passed through the Java Buildpack detection script, and allow the serving of static content from within the deployed artifact. The default Apache Tomcat configuration in the affected java buildpack versions fo... • https://www.cloudfoundry.org/blog/cve-2016-0708 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2016-2169
https://notcve.org/view.php?id=CVE-2016-2169
18 Apr 2018 — Cloud Foundry Cloud Controller, capi-release versions prior to 1.0.0 and cf-release versions prior to v237, contain a business logic flaw. An application developer may create an application with a route that conflicts with a platform service route and receive traffic intended for the service. Cloud Foundry Cloud Controller, capi-release en versiones anteriores a la 1.0.0 y cf-release en versiones anteriores a la v237, contienen un error de lógica de negocio. Un desarrollador de aplicaciones puede crear una ... • https://github.com/cloudfoundry/cloud_controller_ng/issues/568 • CWE-17: DEPRECATED: Code •
CVSS: 9.6EPSS: 0%CPEs: 4EXPL: 0CVE-2016-6658
https://notcve.org/view.php?id=CVE-2016-6658
29 Mar 2018 — Applications in cf-release before 245 can be configured and pushed with a user-provided custom buildpack using a URL pointing to the buildpack. Although it is not recommended, a user can specify a credential in the URL (basic auth or OAuth) to access the buildpack through the CLI. For example, the user could include a GitHub username and password in the URL to access a private repo. Because the URL to access the buildpack is stored unencrypted, an operator with privileged access to the Cloud Controller data... • https://pivotal.io/security/cve-2016-6658 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1195
https://notcve.org/view.php?id=CVE-2018-1195
19 Mar 2018 — In Cloud Controller versions prior to 1.46.0, cf-deployment versions prior to 1.3.0, and cf-release versions prior to 283, Cloud Controller accepts refresh tokens for authentication where access tokens are expected. This exposes a vulnerability where a refresh token that would otherwise be insufficient to obtain an access token, either due to lack of client credentials or revocation, would allow authentication. En Cloud Controller, en versiones anteriores a la 1.46.0, versiones cf-deployment anteriores a la... • https://www.cloudfoundry.org/blog/cve-2018-1195 • CWE-613: Insufficient Session Expiration •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1190
https://notcve.org/view.php?id=CVE-2018-1190
04 Jan 2018 — An issue was discovered in these Pivotal Cloud Foundry products: all versions prior to cf-release v270, UAA v3.x prior to v3.20.2, and UAA bosh v30.x versions prior to v30.8 and all other versions prior to v45.0. A cross-site scripting (XSS) attack is possible in the clientId parameter of a request to the UAA OpenID Connect check session iframe endpoint used for single logout session management. Se ha encontrado un problema en los siguientes productos Pivotal Cloud Foundry: todas las versiones anteriores a ... • http://www.securityfocus.com/bid/102427 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2017-14389
https://notcve.org/view.php?id=CVE-2017-14389
28 Nov 2017 — An issue was discovered in Cloud Foundry Foundation capi-release (all versions prior to 1.45.0), cf-release (all versions prior to v280), and cf-deployment (all versions prior to v1.0.0). The Cloud Controller does not prevent space developers from creating subdomains to an already existing route that belongs to a different user in a different org and space, aka an "Application Subdomain Takeover." Se ha descubierto un problema en Cloud Foundry Foundation capi-release (todas las versiones anteriores a la 1.4... • https://www.cloudfoundry.org/cve-2017-14389 •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2017-8031
https://notcve.org/view.php?id=CVE-2017-8031
27 Nov 2017 — An issue was discovered in Cloud Foundry Foundation cf-release (all versions prior to v279) and UAA (30.x versions prior to 30.6, 45.x versions prior to 45.4, 52.x versions prior to 52.1). In some cases, the UAA allows an authenticated user for a particular client to revoke client tokens for other users on the same client. This occurs only if the client is using opaque tokens or JWT tokens validated using the check_token endpoint. A malicious actor could cause denial of service. Se ha descubierto un problem... • http://www.securityfocus.com/bid/101967 •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2015-5170
https://notcve.org/view.php?id=CVE-2015-5170
24 Oct 2017 — Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow remote attackers to conduct cross-site request forgery (CSRF) attacks on PWS and log a user into an arbitrary account by leveraging lack of CSRF checks. Cloud Foundry Runtime cf-release en versiones anteriores a la 216, UAA en versiones anteriores a la 2.5.2 y Pivotal Cloud Foundry (PCF) Elastic Runtime en versiones anteriores a la 1.7.0 permite que atacantes remotos realicen ata... • http://www.securityfocus.com/bid/101579 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2015-5171
https://notcve.org/view.php?id=CVE-2015-5171
24 Oct 2017 — The password change functionality in Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire existing sessions. La funcionalidad de cambio de contraseña en Cloud Foundry Runtime cf-release en versiones anteriores a la 216, UAA en versiones anteriores a la 2.5.2 y Pivotal Cloud Foundry (PCF) Elastic Runtime en versiones anteriores a la 1.7.0 permite que los atacantes ... • https://pivotal.io/security/cve-2015-5170-5173 • CWE-613: Insufficient Session Expiration •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2015-5172
https://notcve.org/view.php?id=CVE-2015-5172
24 Oct 2017 — Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire password reset links. Cloud Foundry Runtime cf-release en versiones anteriores a la 216, UAA en versiones anteriores a la 2.5.2 y Pivotal Cloud Foundry (PCF) Elastic Runtime en versiones anteriores a la 1.7.0 permite que atacantes causen un impacto no especificado aprovechando que no caducan los enlaces de reini... • https://pivotal.io/security/cve-2015-5170-5173 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •