CVSS: 8.8EPSS: 0%CPEs: 48EXPL: 0CVE-2016-4468
https://notcve.org/view.php?id=CVE-2016-4468
SQL injection vulnerability in Pivotal Cloud Foundry (PCF) before 238; UAA 2.x before 2.7.4.4, 3.x before 3.3.0.2, and 3.4.x before 3.4.1; UAA BOSH before 11.2 and 12.x before 12.2; Elastic Runtime before 1.6.29 and 1.7.x before 1.7.7; and Ops Manager 1.7.x before 1.7.8 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en Pivotal Cloud Foundry (PCF) en versiones anteriores a 238; UAA 2.x en versiones anteriores a 2.7.4.4, 3.x en versiones anteriores a 3.3.0.2 y 3.4.x en versiones anteriores a 3.4.1; UAA BOSH en versiones anteriores a 11.2 y 12.x en versiones anteriores a 12.2; Elastic Runtime en versiones anteriores a 1.6.29 y 1.7.x en versiones anteriores a 1.7.7; y Ops Manager 1.7.x en versiones anteriores a 1.7.8 permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través de vectores no especificados. • https://lists.cloudfoundry.org/archives/list/cf-dev%40lists.cloudfoundry.org/thread/WMTZBIH5U7DTOOX2SNRVTPQI3U2AINOB https://pivotal.io/security/cve-2016-4468 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 29EXPL: 0CVE-2017-4960
https://notcve.org/view.php?id=CVE-2017-4960
An issue was discovered in Cloud Foundry release v247 through v252, UAA stand-alone release v3.9.0 through v3.11.0, and UAA Bosh Release v21 through v26. There is a potential to subject the UAA OAuth clients to a denial of service attack. Se ha descubierto un problema en Cloud Foundry release v247 hasta la versión v252, UAA stand-alone release v3.9.0 hasta la versión v3.11.0 y UAA Bosh Release v21 hasta la versión v26. Hay un potencial para someter a los clientes UAA OAuth a un ataque de denegación de servicio. • http://www.securityfocus.com/bid/96780 https://www.cloudfoundry.org/cve-2017-4960 •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2016-9885
https://notcve.org/view.php?id=CVE-2016-9885
An issue was discovered in Pivotal GemFire for PCF 1.6.x versions prior to 1.6.5 and 1.7.x versions prior to 1.7.1. The gfsh (Geode Shell) endpoint, used by operators and application developers to connect to their cluster, is unauthenticated and publicly accessible. Because HTTPS communications are terminated at the gorouter, communications from the gorouter to GemFire clusters are unencrypted. An attacker could run any command available on gfsh and could cause denial of service, lost confidentiality of data, escalate privileges, or eavesdrop on other communications between the gorouter and the cluster. Se descubrió un problema en Pivotal GemFire para PCF 1.6.x versiones previas a 1.6.5 y 1.7.x versiones previas a 1.7.1. • http://www.securityfocus.com/bid/95270 https://pivotal.io/security/cve-2016-9885 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-254: 7PK - Security Features •
CVSS: 9.8EPSS: 0%CPEs: 76EXPL: 0CVE-2016-9877
https://notcve.org/view.php?id=CVE-2016-9877
An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected. Un problema fue descubierto en Pivotal RabbitMQ 3.x en versiones anteriores a 3.5.8 y 3.6.x en versiones anteriores a 3.6.6 y RabbitMQ for PCF 1.5.x en versiones anteriores a 1.5.20, 1.6.x en versiones anteriores a 1.6.12 y 1.7.x en versiones anteriores a 1.7.7. Autenticación de conexión MQTT (MQ Telemetry Transport) con un nombre de usuario/contraseña tiene éxito si se provee un nombre de usuario existente pero la contraseña es omitida de la petición de conexión. • http://www.debian.org/security/2017/dsa-3761 http://www.securityfocus.com/bid/95065 https://pivotal.io/security/cve-2016-9877 https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03880en_us • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 32EXPL: 0CVE-2016-9878 – Framework: Directory Traversal in the Spring Framework ResourceServlet
https://notcve.org/view.php?id=CVE-2016-9878
An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks. Un problema fue descubierto en Pivotal Spring Framework en versiones anteriores a 3.2.18, 4.2.x en versiones anteriores a 4.2.9 y 4.3.x en versiones anteriores a 4.3.5. Las rutas proporcionadas al ResourceServlet no fueron desinfectadas adecuadamente y como resultado expuestas a ataques de salto de directorio. It was found that ResourceServlet in Spring Framework does not sanitize the paths that have been provided properly. • http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html http://www.securityfocus.com/bid/95072 http://www.securitytracker.com/id/1040698 https://access.redhat.com/errata/RHSA-2017:3115 https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html https://pivotal.io/security/cve-2016-9878 https://security.netapp.com/adviso • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •