CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1230
https://notcve.org/view.php?id=CVE-2018-1230
21 Mar 2018 — Pivotal Spring Batch Admin, all versions, does not contain cross site request forgery protection. A remote unauthenticated user could craft a malicious site that executes requests to Spring Batch Admin. This issue has not been patched because Spring Batch Admin has reached end of life. Pivotal Spring Batch Admin, en todas las versiones, no contiene protección contra Cross-Site Request Forgery (CSRF). Un usuario remoto no autenticado podría manipular un sitio malicioso que ejecute peticiones a Spring Batch A... • http://www.securityfocus.com/bid/103463 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1197
https://notcve.org/view.php?id=CVE-2018-1197
19 Mar 2018 — In Windows Stemcells versions prior to 1200.14, apps running inside containers in Windows on Google Cloud Platform are able to access the metadata endpoint. A malicious developer could use this access to gain privileged credentials. En las versiones anteriores a la 1200.14 de Windows Stemcells, las aplicaciones que se ejecutan en contenedores en Windows en Google Cloud Platform pueden acceder al endpoint de metadatos. Un usuario malicioso podría emplear esto para obtener credenciales privilegiados. • https://www.cloudfoundry.org/blog/cve-2018-1197 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2016-9880
https://notcve.org/view.php?id=CVE-2016-9880
16 Mar 2018 — The GemFire broker for Cloud Foundry 1.6.x before 1.6.5 and 1.7.x before 1.7.1 has multiple API endpoints which do not require authentication and could be used to gain access to the cluster managed by the broker. El broker GemFire para Cloud Foundry, en versiones 1.6.x anteriores a la 1.6.5 y versiones 1.7.x anteriores a la 1.7.1, tiene múltiples endpoints de API que no requieren autenticación y que podrían usarse para obtener acceso al clúster gestionado por el broker. • http://www.securityfocus.com/bid/96146 • CWE-287: Improper Authentication •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1200
https://notcve.org/view.php?id=CVE-2018-1200
16 Mar 2018 — Apps Manager for PCF (Pivotal Application Service 1.11.x before 1.11.26, 1.12.x before 1.12.14, and 2.0.x before 2.0.5) allows unprivileged remote file read in its container via specially-crafted links. Apps Manager for PCF (Pivotal Application Service en versiones 1.11.x anteriores a la 1.11.26, versiones 1.12.x anteriores a la 1.12.14 y versiones 2.0.x anteriores a la 2.0.5) permite la lectura remota sin autorización en su contenedor mediante enlaces especialmente manipulados. • http://www.securityfocus.com/bid/103042 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1227
https://notcve.org/view.php?id=CVE-2018-1227
13 Mar 2018 — Pivotal Concourse after 2018-03-05 might allow remote attackers to have an unspecified impact, if a customer obtained the Concourse software from a DNS domain that is no longer controlled by Pivotal. The original domain for the Concourse CI (concourse-dot-ci) open source project has been registered by an unknown actor, and is therefore no longer the official website for Concourse CI. The new official domain is concourse-ci.org. At approximately 4 am EDT on March 7, 2018 the Concourse OSS team began receivin... • https://pivotal.io/security/cve-2018-1227 •
CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2018-1192
https://notcve.org/view.php?id=CVE-2018-1192
01 Feb 2018 — In Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3, the SessionID is logged in audit event logs. An attacker can use the SessionID to impersonate a logged-in user. En Cloud Foundry Foundation cf-release en versiones anteriores a v285; cf-deployment ... • https://www.cloudfoundry.org/blog/cve-2018-1192 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1190
https://notcve.org/view.php?id=CVE-2018-1190
04 Jan 2018 — An issue was discovered in these Pivotal Cloud Foundry products: all versions prior to cf-release v270, UAA v3.x prior to v3.20.2, and UAA bosh v30.x versions prior to v30.8 and all other versions prior to v45.0. A cross-site scripting (XSS) attack is possible in the clientId parameter of a request to the UAA OpenID Connect check session iframe endpoint used for single logout session management. Se ha encontrado un problema en los siguientes productos Pivotal Cloud Foundry: todas las versiones anteriores a ... • http://www.securityfocus.com/bid/102427 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 11%CPEs: 15EXPL: 11CVE-2017-8046 – Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution
https://notcve.org/view.php?id=CVE-2017-8046
04 Jan 2018 — Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code. Las peticiones PATCH maliciosas enviadas a servidores que utilizan versiones Spring Data REST anteriores a la 2.6.9 (Ingalls SR9), versiones anteriores a la 3.0.1 (Kay SR1) y versiones Spring Boot anteriores a la 1.5.9, 2.0 M6 pueden utilizar datos JSON espe... • https://packetstorm.news/files/id/146817 • CWE-20: Improper Input Validation •
CVSS: 5.9EPSS: 0%CPEs: 5EXPL: 0CVE-2017-8039
https://notcve.org/view.php?id=CVE-2017-8039
27 Nov 2017 — An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings. NOTE: this issue exists because of an incomplete fix for CVE-2017-4971. Se ha descubierto un problema en Pivotal Spring Web ... • http://www.securityfocus.com/bid/100849 • CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-8038
https://notcve.org/view.php?id=CVE-2017-8038
27 Nov 2017 — In Cloud Foundry Foundation Credhub-release version 1.1.0, access control lists (ACLs) enforce whether an authenticated user can perform an operation on a credential. For installations using ACLs, the ACL was bypassed for the CredHub interpolate endpoint, allowing authenticated applications to view any credential within the CredHub installation. En Cloud Foundry Foundation Credhub-release versión 1.1.0, las listas de control de acceso (ACL) se aplican si un usuario autenticado puede realizar una operación e... • https://www.cloudfoundry.org/cve-2017-8038 •