CVSS: 6.6EPSS: 0%CPEs: 3EXPL: 0CVE-2017-8034
https://notcve.org/view.php?id=CVE-2017-8034
The Cloud Controller and Router in Cloud Foundry (CAPI-release capi versions prior to v1.32.0, Routing-release versions prior to v0.159.0, CF-release versions prior to v267) do not validate the issuer on JSON Web Tokens (JWTs) from UAA. With certain multi-zone UAA configurations, zone administrators are able to escalate their privileges. El controlador y el enrutador de nube en Cloud Foundry (publicación de CAPI versiones de capi anteriores a v1.32.0, publicación de enrutamiento versión anterior a v0.159.0, publicación de CF versión anterior a v267), no comprueban el emisor en los Tokens Web JSON (JWTs) de la UAA. Con determinadas configuraciones UAA multizona, los administradores de zona pueden escalar sus privilegios. • https://www.cloudfoundry.org/cve-2017-8034 • CWE-565: Reliance on Cookies without Validation and Integrity Checking •
CVSS: 7.2EPSS: 0%CPEs: 66EXPL: 0CVE-2017-4991
https://notcve.org/view.php?id=CVE-2017-4991
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v260; UAA release 2.x versions prior to v2.7.4.16, 3.6.x versions prior to v3.6.10, 3.9.x versions prior to v3.9.12, and other versions prior to v3.17.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.14, 24.x versions prior to v24.9, 30.x versions prior to 30.2, and other versions prior to v36. Privileged users in one zone are allowed to perform a password reset for users in a different zone. Se detectó un problema en cf-release versiones anteriores a 260; UAA release versiones 2.x anteriores a 2.7.4.16, versiones 3.6.x anteriores a 3.6.10, versiones 3.9.x anteriores a 3.9.12, y otras versiones anteriores a 3.17.0; y UAA bosh release (uaa-release) versiones 13.x anteriores a 13.14, versiones 24.x anteriores a 24.9, versiones 30.x anterior a 30.2, y otras versiones anteriores a 36 de Cloud Foundry Foundation. Los usuarios con privilegios de una zona pueden realizar un restablecimiento de contraseña por los usuarios de una zona diferente. • https://www.cloudfoundry.org/cve-2017-4991 • CWE-269: Improper Privilege Management •
CVSS: 6.5EPSS: 0%CPEs: 64EXPL: 0CVE-2017-4974
https://notcve.org/view.php?id=CVE-2017-4974
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v258; UAA release 2.x versions prior to v2.7.4.15, 3.6.x versions prior to v3.6.9, 3.9.x versions prior to v3.9.11, and other versions prior to v3.16.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.13, 24.x versions prior to v24.8, and other versions prior to v30.1. An authorized user can use a blind SQL injection attack to query the contents of the UAA database, aka "Blind SQL Injection with privileged UAA endpoints." Se detectó un problema en cf-release versiones anteriores a v258; UAA release versiones 2.x anteriores a v2.7.4.15, versiones 3.6.x anteriores a v3.6.9, versiones 3.9.x anteriores a v3.9.11, y otras versiones anteriores a v3.16.0; y UAA bosh release (uaa-release) versiones 13.x anteriores a v13.13, versiones 24.x anteriores a v24.8, y otras versiones anteriores a v30.1 de Cloud Foundry Foundation. Un usuario autorizado puede usar un ataque de inyección SQL a ciegas para consultar el contenido de la base de datos UAA, también se conoce como "Blind SQL Injection with privileged UAA endpoints." • http://www.securityfocus.com/bid/99254 https://www.cloudfoundry.org/cve-2017-4974 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 62EXPL: 0CVE-2017-4972
https://notcve.org/view.php?id=CVE-2017-4972
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v257; UAA release 2.x versions prior to v2.7.4.14, 3.6.x versions prior to v3.6.8, 3.9.x versions prior to v3.9.10, and other versions prior to v3.15.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.12, 24.x versions prior to v24.7, and other versions prior to v30. An attacker can use a blind SQL injection attack to query the contents of the UAA database. Se detectó un problema en cf-release versiones anteriores a v257; UAA release versiones 2.x anteriores a v2.7.4.14, versiones 3.6.x anteriores a v3.6.8, versiones 3.9.x anteriores a v3.9.10, y otras versiones anteriores a v3.15.0; y UAA bosh release (uaa-release) versiones 13.x anteriores a v13.12, versiones 24.x anteriores a v24.7, y otras versiones anteriores a v30 de Cloud Foundry Foundation. Un atacante puede usar un ataque de inyección de SQL a ciegas para consultar el contenido de la base de datos UAA. • https://www.cloudfoundry.org/cve-2017-4972 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 73EXPL: 0CVE-2017-4992
https://notcve.org/view.php?id=CVE-2017-4992
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v261; UAA release 2.x versions prior to v2.7.4.17, 3.6.x versions prior to v3.6.11, 3.9.x versions prior to v3.9.13, and other versions prior to v4.2.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.15, 24.x versions prior to v24.10, 30.x versions prior to 30.3, and other versions prior to v37. There is privilege escalation (arbitrary password reset) with user invitations. Se detectó un problema en cf-release versiones anteriores a 261; UAA release versiones 2.x anteriores a 2.7.4.17, versiones 3.6.x anteriores a 3.6.11, versiones 3.9.x anteriores a 3.9.13, y otras versiones anteriores a 4.2.0; y UAA bosh release (uaa-release) versiones 13.x anteriores a 13.15, versiones 24.x anteriores a 24.10, versiones 30.x anteriores a 30.3 y otras versiones anteriores a 37 de Cloud Foundry Foundation. Se presenta una escalada de privilegios (restablecimiento arbitrario de contraseña) con invitaciones de usuario. • https://www.cloudfoundry.org/cve-2017-4992 • CWE-269: Improper Privilege Management •