CVSS: 8.1EPSS: 0%CPEs: 5EXPL: 0CVE-2016-3084
https://notcve.org/view.php?id=CVE-2016-3084
25 May 2017 — The UAA reset password flow in Cloud Foundry release v236 and earlier versions, UAA release v3.3.0 and earlier versions, all versions of Login-server, UAA release v10 and earlier versions and Pivotal Elastic Runtime versions prior to 1.7.2 is vulnerable to a brute force attack due to multiple active codes at a given time. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected. El flujo de la contr... • https://pivotal.io/security/cve-2016-3084 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.5EPSS: 0%CPEs: 22EXPL: 0CVE-2016-2165
https://notcve.org/view.php?id=CVE-2016-2165
25 May 2017 — The Loggregator Traffic Controller endpoints in cf-release v231 and lower, Pivotal Elastic Runtime versions prior to 1.5.19 AND 1.6.x versions prior to 1.6.20 are not cleansing request URL paths when they are invalid and are returning them in the 404 response. This could allow malicious scripts to be written directly into the 404 response. Los endpoints de Loggregator Traffic Controller en cf-release versiones v231 e inferiores, Pivotal Elastic Runtime anteriores a 1.5.19 y versiones 1.6.x anteriores a 1.6.... • https://pivotal.io/security/cve-2016-2165 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 13EXPL: 0CVE-2016-5006
https://notcve.org/view.php?id=CVE-2016-5006
02 May 2017 — The Cloud Controller in Cloud Foundry before 239 logs user-provided service objects at creation, which allows attackers to obtain sensitive user credential information via unspecified vectors. El Cloud Controller en Cloud Foundry versiones anteriores a 239 registra objetos de servicio proporcionados por el usuario durante la creación, lo que permite a los atacantes obtener información sensible de credenciales de usuarios a través de vectores no especificados. • https://pivotal.io/security/cve-2016-5006 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 21EXPL: 0CVE-2016-6639
https://notcve.org/view.php?id=CVE-2016-6639
18 Sep 2016 — Cloud Foundry PHP Buildpack (aka php-buildpack) before 4.3.18 and PHP Buildpack Cf-release before 242, as used in Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.38 and 1.7.x before 1.7.19 and other products, place the .profile file in the htdocs directory, which might allow remote attackers to obtain sensitive information via an HTTP GET request for this file. Cloud Foundry PHP Buildpack (también conocido como php-buildpack) en versiones anteriores a 4.3.18 y PHP Buildpack Cf-release en versiones an... • https://github.com/cloudfoundry/php-buildpack/commit/e2db3ccd4812e0c0aba20720fc51789d981aba67 • CWE-254: 7PK - Security Features •
CVSS: 7.5EPSS: 0%CPEs: 13EXPL: 0CVE-2016-0896
https://notcve.org/view.php?id=CVE-2016-0896
18 Sep 2016 — Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.34 and 1.7.x before 1.7.12 places 169.254.0.0/16 in the all_open Application Security Group, which might allow remote attackers to bypass intended network-connectivity restrictions by leveraging access to the 169.254.169.254 address. Pivotal Cloud Foundry (PCF) Elastic Runtime en versiones anteriores a 1.6.34 y 1.7.x en versiones anteriores a 1.7.12 sitúa 169.254.0.0/16 en el all_open Application Security Group, lo que podría permitir a atacantes remoto... • http://www.securityfocus.com/bid/92161 • CWE-254: 7PK - Security Features •
CVSS: 7.4EPSS: 0%CPEs: 9EXPL: 0CVE-2016-0928
https://notcve.org/view.php?id=CVE-2016-0928
18 Sep 2016 — Multiple open redirect vulnerabilities in Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.30 and 1.7.x before 1.7.8 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. Múltiples vulnerabilidades de redirección abierta en Pivotal Cloud Foundry (PCF) Elastic Runtime en versiones anteriores a 1.6.30 y 1.7.x en versiones anteriores a 1.7.8 permite a atacantes remotos redireccionar usuarios a sitios web arbitrarios y llevar a cabo ataques p... • http://www.securityfocus.com/bid/91550 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •