CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2017-8047
https://notcve.org/view.php?id=CVE-2017-8047
In Cloud Foundry router routing-release all versions prior to v0.163.0 and cf-release all versions prior to v274, in some applications, it is possible to append a combination of characters to the URL that will allow for an open redirect. An attacker could exploit this as a phishing attack to gain access to user credentials or other sensitive data. NOTE: 274 resolves the vulnerability but has a serious bug that is fixed in 275. En todas las versiones anteriores a la 0.163.0 del desarrollo routing-release y en todas las versiones anteriores a la 274 del desarrollo cf-release de los router de Cloud Foundry, es posible añadir una combinación de caracteres en la URL que permitirá una redirección abierta. Un atacante podría explotar esta vulnerabilidad con un ataque de phishing para obtener acceso a las credenciales de usuario y otros datos sensibles. • https://www.cloudfoundry.org/cve-2017-8047 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 7.5EPSS: 0%CPEs: 56EXPL: 0CVE-2017-8037
https://notcve.org/view.php?id=CVE-2017-8037
In Cloud Foundry Foundation CAPI-release versions after v1.6.0 and prior to v1.38.0 and cf-release versions after v244 and prior to v270, there is an incomplete fix for CVE-2017-8035. If you took steps to remediate CVE-2017-8035 you should also upgrade to fix this CVE. A carefully crafted CAPI request from a Space Developer can allow them to gain access to files on the Cloud Controller VM for that installation, aka an Information Leak / Disclosure. En Cloud Foundry Foundation CAPI-release en versiones posteriores a la v1.6.0 y anteriores a la v1.38.0 y cf-release en versiones posteriores a la v244 y anteriores a la v270 hay una solución incompleta para CVE-2017-8035. Si ha emprendido acciones para solucionar CVE-2017-8035, también debería actualizar para solucionar este CVE. • http://www.securityfocus.com/bid/100448 https://www.cloudfoundry.org/cve-2017-8037 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 64EXPL: 0CVE-2017-4974
https://notcve.org/view.php?id=CVE-2017-4974
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v258; UAA release 2.x versions prior to v2.7.4.15, 3.6.x versions prior to v3.6.9, 3.9.x versions prior to v3.9.11, and other versions prior to v3.16.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.13, 24.x versions prior to v24.8, and other versions prior to v30.1. An authorized user can use a blind SQL injection attack to query the contents of the UAA database, aka "Blind SQL Injection with privileged UAA endpoints." Se detectó un problema en cf-release versiones anteriores a v258; UAA release versiones 2.x anteriores a v2.7.4.15, versiones 3.6.x anteriores a v3.6.9, versiones 3.9.x anteriores a v3.9.11, y otras versiones anteriores a v3.16.0; y UAA bosh release (uaa-release) versiones 13.x anteriores a v13.13, versiones 24.x anteriores a v24.8, y otras versiones anteriores a v30.1 de Cloud Foundry Foundation. Un usuario autorizado puede usar un ataque de inyección SQL a ciegas para consultar el contenido de la base de datos UAA, también se conoce como "Blind SQL Injection with privileged UAA endpoints." • http://www.securityfocus.com/bid/99254 https://www.cloudfoundry.org/cve-2017-4974 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •