CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2015-3189
https://notcve.org/view.php?id=CVE-2015-3189
With Cloud Foundry Runtime cf-release versions v208 or earlier, UAA Standalone versions 2.2.5 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier, old Password Reset Links are not expired after the user changes their current email address to a new one. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected. En Cloud Foundry Runtime versiones v208 y anteriores, UAA Standalone versiones 2.2.5 o anteriores y Pivotal Cloud Foundry Runtime, versiones 1.4.5 o anteriores, los enlaces a contraseñas antiguas reseteadas no expiran después de que un usuario cambie su dirección de correo electrónico actual a una nueva. Esta vulnerabilidad aplica solo cuando se almacena el UAA del usuario interno para la autenticación. • https://pivotal.io/security/cve-2015-3189 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2015-3190
https://notcve.org/view.php?id=CVE-2015-3190
With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA Standalone versions 2.2.6 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier the UAA logout link is susceptible to an open redirect which allows an attacker to insert malicious web page as a redirect parameter. En Cloud Foundry Runtime versiones v209 o anteriores, UAA Standalone versiones 2.2.6 o ateriores y Pivotal Cloud Foundry Runtime versiones 1.4.5 o anteriores, el enlace del UAA logout es susceptible a una redirección abierta que permitiría a un atacante insertar páginas web maliciosas en un parámetro de redirección. • https://pivotal.io/security/cve-2015-3190 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 7.5EPSS: 0%CPEs: 36EXPL: 0CVE-2016-0780
https://notcve.org/view.php?id=CVE-2016-0780
It was discovered that cf-release v231 and lower, Pivotal Cloud Foundry Elastic Runtime 1.5.x versions prior to 1.5.17 and Pivotal Cloud Foundry Elastic Runtime 1.6.x versions prior to 1.6.18 do not properly enforce disk quotas in certain cases. An attacker could use an improper disk quota value to bypass enforcement and consume all the disk on DEAs/CELLs causing a potential denial of service for other applications. Se detectó que cf-release versión v231 e inferior, Pivotal Cloud Foundry Elastic Runtime versiones 1.5.x anteriores a 1.5.17 y Pivotal Cloud Foundry Elastic Runtime versiones 1.6.x anteriores a 1.6.18, no hacen cumplir las cuotas de disco apropiadamente en ciertos casos. Un atacante podría usar un valor de cuota de disco inapropiado para omitir la ejecución y consumo de todo el disco en DEAs/CELLs, causando una potencial denegación de servicio para otras aplicaciones. • https://pivotal.io/security/cve-2016-0780 • CWE-399: Resource Management Errors •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2015-1834
https://notcve.org/view.php?id=CVE-2015-1834
A path traversal vulnerability was identified in the Cloud Foundry component Cloud Controller that affects cf-release versions prior to v208 and Pivotal Cloud Foundry Elastic Runtime versions prior to 1.4.2. Path traversal is the 'outbreak' of a given directory structure through relative file paths in the user input. It aims at accessing files and directories that are stored outside the web root folder, for disallowed reading or even executing arbitrary system commands. An attacker could use a certain parameter of the file path for instance to inject '../' sequences in order to navigate through the file system. In this particular case a remote authenticated attacker can exploit the identified vulnerability in order to upload arbitrary files to the server running a Cloud Controller instance - outside the isolated application container. • http://www.securityfocus.com/bid/98691 https://pivotal.io/security/cve-2015-1834 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 18EXPL: 0CVE-2016-0761
https://notcve.org/view.php?id=CVE-2016-0761
Cloud Foundry Garden-Linux versions prior to v0.333.0 and Elastic Runtime 1.6.x version prior to 1.6.17 contain a flaw in managing container files during Docker image preparation that could be used to delete, corrupt or overwrite host files and directories, including other container filesystems on the host. Garden-Linux versiones anteriores a v0.333.0 y Elastic Runtime versiones 1.6.x anteriores a 1.6.17 de Cloud Foundry, contienen un fallo en la administración de archivos de contenedor durante la preparación de la imagen Docker que se podría usar para eliminar, corromper o sobrescribir archivos y directorios del host, incluyendo otros sistemas de archivos de contenedor en el host. • https://pivotal.io/security/cve-2016-0761 • CWE-19: Data Processing Errors •