CVSS: 9.8EPSS: 0%CPEs: 73EXPL: 0CVE-2017-4992
https://notcve.org/view.php?id=CVE-2017-4992
13 Jun 2017 — An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v261; UAA release 2.x versions prior to v2.7.4.17, 3.6.x versions prior to v3.6.11, 3.9.x versions prior to v3.9.13, and other versions prior to v4.2.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.15, 24.x versions prior to v24.10, 30.x versions prior to 30.3, and other versions prior to v37. There is privilege escalation (arbitrary password reset) with user invitations. Se detectó un problema en cf-release ve... • https://www.cloudfoundry.org/cve-2017-4992 • CWE-269: Improper Privilege Management •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2015-3189
https://notcve.org/view.php?id=CVE-2015-3189
25 May 2017 — With Cloud Foundry Runtime cf-release versions v208 or earlier, UAA Standalone versions 2.2.5 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier, old Password Reset Links are not expired after the user changes their current email address to a new one. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected. En Cloud Foundry Runtime versiones v208 y anteriores, UAA Standalone versiones 2.... • https://pivotal.io/security/cve-2015-3189 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2015-3191
https://notcve.org/view.php?id=CVE-2015-3191
25 May 2017 — With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA Standalone versions 2.2.6 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier the change_email form in UAA is vulnerable to a CSRF attack. This allows an attacker to trigger an e-mail change for a user logged into a cloud foundry instance via a malicious link on a attacker controlled site. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML o... • https://pivotal.io/security/cve-2015-3191 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.1EPSS: 0%CPEs: 5EXPL: 0CVE-2016-3084
https://notcve.org/view.php?id=CVE-2016-3084
25 May 2017 — The UAA reset password flow in Cloud Foundry release v236 and earlier versions, UAA release v3.3.0 and earlier versions, all versions of Login-server, UAA release v10 and earlier versions and Pivotal Elastic Runtime versions prior to 1.7.2 is vulnerable to a brute force attack due to multiple active codes at a given time. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected. El flujo de la contr... • https://pivotal.io/security/cve-2016-3084 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2015-3190
https://notcve.org/view.php?id=CVE-2015-3190
25 May 2017 — With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA Standalone versions 2.2.6 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier the UAA logout link is susceptible to an open redirect which allows an attacker to insert malicious web page as a redirect parameter. En Cloud Foundry Runtime versiones v209 o anteriores, UAA Standalone versiones 2.2.6 o ateriores y Pivotal Cloud Foundry Runtime versiones 1.4.5 o anteriores, el enlace del UAA logout es susceptible a una redirección abier... • https://pivotal.io/security/cve-2015-3190 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 57EXPL: 0CVE-2016-0781
https://notcve.org/view.php?id=CVE-2016-0781
25 May 2017 — The UAA OAuth approval pages in Cloud Foundry v208 to v231, Login-server v1.6 to v1.14, UAA v2.0.0 to v2.7.4.1, UAA v3.0.0 to v3.2.0, UAA-Release v2 to v7 and Pivotal Elastic Runtime 1.6.x versions prior to 1.6.20 are vulnerable to an XSS attack by specifying malicious java script content in either the OAuth scopes (SCIM groups) or SCIM group descriptions. Las páginas de aprobación OAuth de UAA en Cloud Foundry versiones v208 hasta v231, Login-server versiones v1.6 hasta v1.14, UAA versiones v2.0.0 hasta v2... • https://pivotal.io/security/cve-2016-0781 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 48EXPL: 1CVE-2016-4468
https://notcve.org/view.php?id=CVE-2016-4468
11 Apr 2017 — SQL injection vulnerability in Pivotal Cloud Foundry (PCF) before 238; UAA 2.x before 2.7.4.4, 3.x before 3.3.0.2, and 3.4.x before 3.4.1; UAA BOSH before 11.2 and 12.x before 12.2; Elastic Runtime before 1.6.29 and 1.7.x before 1.7.7; and Ops Manager 1.7.x before 1.7.8 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en Pivotal Cloud Foundry (PCF) en versiones anteriores a 238; UAA 2.x en versiones anteriores a 2.7.4.4, 3.x en vers... • https://github.com/shanika04/cloudfoundry_uaa • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 29EXPL: 0CVE-2017-4960
https://notcve.org/view.php?id=CVE-2017-4960
10 Mar 2017 — An issue was discovered in Cloud Foundry release v247 through v252, UAA stand-alone release v3.9.0 through v3.11.0, and UAA Bosh Release v21 through v26. There is a potential to subject the UAA OAuth clients to a denial of service attack. Se ha descubierto un problema en Cloud Foundry release v247 hasta la versión v252, UAA stand-alone release v3.9.0 hasta la versión v3.11.0 y UAA Bosh Release v21 hasta la versión v26. Hay un potencial para someter a los clientes UAA OAuth a un ataque de denegación de servi... • http://www.securityfocus.com/bid/96780 •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2016-6659
https://notcve.org/view.php?id=CVE-2016-6659
23 Dec 2016 — Cloud Foundry before 248; UAA 2.x before 2.7.4.12, 3.x before 3.6.5, and 3.7.x through 3.9.x before 3.9.3; and UAA bosh release (aka uaa-release) before 13.9 for UAA 3.6.5 and before 24 for UAA 3.9.3 allow attackers to gain privileges by accessing UAA logs and subsequently running a specially crafted application that interacts with a configured SAML provider. Cloud Foundry en versiones anteriores a 248; UAA 2.x en versiones anteriores a 2.7.4.12, 3.x en versiones anteriores a 3.6.5 y 3.7.x hasta la versión ... • http://www.securityfocus.com/bid/95085 • CWE-287: Improper Authentication •
CVSS: 9.6EPSS: 0%CPEs: 97EXPL: 0CVE-2016-6637
https://notcve.org/view.php?id=CVE-2016-6637
30 Sep 2016 — Multiple cross-site request forgery (CSRF) vulnerabilities in Pivotal Cloud Foundry (PCF) before 242; UAA 2.x before 2.7.4.7, 3.x before 3.3.0.5, and 3.4.x before 3.4.4; UAA BOSH before 11.5 and 12.x before 12.5; Elastic Runtime before 1.6.40, 1.7.x before 1.7.21, and 1.8.x before 1.8.2; and Ops Manager 1.7.x before 1.7.13 and 1.8.x before 1.8.1 allow remote attackers to hijack the authentication of unspecified victims for requests that approve or deny a scope via a profile or authorize approval page. Múlti... • http://www.securityfocus.com/bid/93245 • CWE-352: Cross-Site Request Forgery (CSRF) •