CVE-2015-5172
https://notcve.org/view.php?id=CVE-2015-5172
Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire password reset links. Cloud Foundry Runtime cf-release en versiones anteriores a la 216, UAA en versiones anteriores a la 2.5.2 y Pivotal Cloud Foundry (PCF) Elastic Runtime en versiones anteriores a la 1.7.0 permite que atacantes causen un impacto no especificado aprovechando que no caducan los enlaces de reinicio de contraseña. • https://pivotal.io/security/cve-2015-5170-5173 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVE-2017-8047
https://notcve.org/view.php?id=CVE-2017-8047
In Cloud Foundry router routing-release all versions prior to v0.163.0 and cf-release all versions prior to v274, in some applications, it is possible to append a combination of characters to the URL that will allow for an open redirect. An attacker could exploit this as a phishing attack to gain access to user credentials or other sensitive data. NOTE: 274 resolves the vulnerability but has a serious bug that is fixed in 275. En todas las versiones anteriores a la 0.163.0 del desarrollo routing-release y en todas las versiones anteriores a la 274 del desarrollo cf-release de los router de Cloud Foundry, es posible añadir una combinación de caracteres en la URL que permitirá una redirección abierta. Un atacante podría explotar esta vulnerabilidad con un ataque de phishing para obtener acceso a las credenciales de usuario y otros datos sensibles. • https://www.cloudfoundry.org/cve-2017-8047 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2017-8048
https://notcve.org/view.php?id=CVE-2017-8048
In Cloud Foundry capi-release versions 1.33.0 and later, prior to 1.42.0 and cf-release versions 268 and later, prior to 274, the original fix for CVE-2017-8033 introduces an API regression that allows a space developer to execute arbitrary code on the Cloud Controller VM by pushing a specially crafted application. NOTE: 274 resolves the vulnerability but has a serious bug that is fixed in 275. En las versiones de la 1.33.0 hasta la 1.42.0 del desarrollo capi-release y las versiones de la 268 hasta la 274 (no inclusive) del desarrollo cf-release de Cloud Foundry, la solución original para CVE-2017-8033 introduce una regresión de API que permite que un desarrollador de espacio ejecute código arbitrario en la máquina virtual de Cloud Controller abriendo una aplicación especialmente manipulada. NOTA: 274 resuelve la vulnerabilidad pero tiene un error grave que se resuelve en 275. • https://www.cloudfoundry.org/cve-2017-8048 •
CVE-2016-0732
https://notcve.org/view.php?id=CVE-2016-0732
The identity zones feature in Pivotal Cloud Foundry 208 through 229; UAA 2.0.0 through 2.7.3 and 3.0.0; UAA-Release 2 through 4, when configured with multiple identity zones; and Elastic Runtime 1.6.0 through 1.6.13 allows remote authenticated users with privileges in one zone to gain privileges and perform operations on a different zone via unspecified vectors. La característica de zonas de identidad en Pivotal Cloud Foundry 208 a 229; UAA 2.0.0 a 2.7.3 y 3.0.0; UAA-Release 2 hasta la 4, cuando se configura con múltiples zonas de identidad; y Elastic Runtime 1.6.0 hasta la 1.6.13 permite que los usuarios remotos autenticados con privilegios en una zona obtengan privilegios y realicen operaciones en una zona diferente mediante vectores no especificados. • https://pivotal.io/security/cve-2016-0732 • CWE-269: Improper Privilege Management •
CVE-2016-0713
https://notcve.org/view.php?id=CVE-2016-0713
Gorouter in Cloud Foundry cf-release v141 through v228 allows man-in-the-middle attackers to conduct cross-site scripting (XSS) attacks via vectors related to modified requests. Gorouter en Cloud Foundry cf-release v141 a v228 permite que los atacantes Man-in-the-Middle (MitM) realicen ataques Cross-Site Scripting (XSS) mediante vectores relacionados con peticiones modificadas. • https://bosh.io/releases/github.com/cloudfoundry/cf-release?version=229 https://lists.cloudfoundry.org/archives/list/cf-dev%40lists.cloudfoundry.org/thread/VWDLUNTDKW5CW5JWEM5BOHLJ3J32TAFF • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •