CVSS: 5.9EPSS: 0%CPEs: 5EXPL: 0CVE-2017-4970
https://notcve.org/view.php?id=CVE-2017-4970
An issue was discovered in Cloud Foundry Foundation cf-release v255 and Staticfile buildpack versions v1.4.0 - v1.4.3. A regression introduced in the Static file build pack causes the Staticfile.auth configuration to be ignored when the Static file file is not present in the application root. Applications containing a Staticfile.auth file but not a Static file had their basic auth turned off when an operator upgraded the Static file build pack in the foundation to one of the vulnerable versions. Note that Static file applications without a Static file are technically misconfigured, and will not successfully detect unless the Static file build pack is explicitly specified. Se detectó un problema en cf-release versión v255 y Staticfile buildpack versiones v1.4.0 hasta v1.4.3 de Cloud Foundry Foundation. • https://www.cloudfoundry.org/cve-2017-4970 •
CVSS: 6.5EPSS: 0%CPEs: 64EXPL: 0CVE-2017-4974
https://notcve.org/view.php?id=CVE-2017-4974
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v258; UAA release 2.x versions prior to v2.7.4.15, 3.6.x versions prior to v3.6.9, 3.9.x versions prior to v3.9.11, and other versions prior to v3.16.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.13, 24.x versions prior to v24.8, and other versions prior to v30.1. An authorized user can use a blind SQL injection attack to query the contents of the UAA database, aka "Blind SQL Injection with privileged UAA endpoints." Se detectó un problema en cf-release versiones anteriores a v258; UAA release versiones 2.x anteriores a v2.7.4.15, versiones 3.6.x anteriores a v3.6.9, versiones 3.9.x anteriores a v3.9.11, y otras versiones anteriores a v3.16.0; y UAA bosh release (uaa-release) versiones 13.x anteriores a v13.13, versiones 24.x anteriores a v24.8, y otras versiones anteriores a v30.1 de Cloud Foundry Foundation. Un usuario autorizado puede usar un ataque de inyección SQL a ciegas para consultar el contenido de la base de datos UAA, también se conoce como "Blind SQL Injection with privileged UAA endpoints." • http://www.securityfocus.com/bid/99254 https://www.cloudfoundry.org/cve-2017-4974 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 0%CPEs: 66EXPL: 0CVE-2017-4991
https://notcve.org/view.php?id=CVE-2017-4991
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v260; UAA release 2.x versions prior to v2.7.4.16, 3.6.x versions prior to v3.6.10, 3.9.x versions prior to v3.9.12, and other versions prior to v3.17.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.14, 24.x versions prior to v24.9, 30.x versions prior to 30.2, and other versions prior to v36. Privileged users in one zone are allowed to perform a password reset for users in a different zone. Se detectó un problema en cf-release versiones anteriores a 260; UAA release versiones 2.x anteriores a 2.7.4.16, versiones 3.6.x anteriores a 3.6.10, versiones 3.9.x anteriores a 3.9.12, y otras versiones anteriores a 3.17.0; y UAA bosh release (uaa-release) versiones 13.x anteriores a 13.14, versiones 24.x anteriores a 24.9, versiones 30.x anterior a 30.2, y otras versiones anteriores a 36 de Cloud Foundry Foundation. Los usuarios con privilegios de una zona pueden realizar un restablecimiento de contraseña por los usuarios de una zona diferente. • https://www.cloudfoundry.org/cve-2017-4991 • CWE-269: Improper Privilege Management •
CVSS: 9.8EPSS: 0%CPEs: 73EXPL: 0CVE-2017-4992
https://notcve.org/view.php?id=CVE-2017-4992
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v261; UAA release 2.x versions prior to v2.7.4.17, 3.6.x versions prior to v3.6.11, 3.9.x versions prior to v3.9.13, and other versions prior to v4.2.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.15, 24.x versions prior to v24.10, 30.x versions prior to 30.3, and other versions prior to v37. There is privilege escalation (arbitrary password reset) with user invitations. Se detectó un problema en cf-release versiones anteriores a 261; UAA release versiones 2.x anteriores a 2.7.4.17, versiones 3.6.x anteriores a 3.6.11, versiones 3.9.x anteriores a 3.9.13, y otras versiones anteriores a 4.2.0; y UAA bosh release (uaa-release) versiones 13.x anteriores a 13.15, versiones 24.x anteriores a 24.10, versiones 30.x anteriores a 30.3 y otras versiones anteriores a 37 de Cloud Foundry Foundation. Se presenta una escalada de privilegios (restablecimiento arbitrario de contraseña) con invitaciones de usuario. • https://www.cloudfoundry.org/cve-2017-4992 • CWE-269: Improper Privilege Management •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2016-6655
https://notcve.org/view.php?id=CVE-2016-6655
An issue was discovered in Cloud Foundry Foundation Cloud Foundry release versions prior to v245 and cf-mysql-release versions prior to v31. A command injection vulnerability was discovered in a common script used by many Cloud Foundry components. A malicious user may exploit numerous vectors to execute arbitrary commands on servers running Cloud Foundry. Un problema fue descubierto en Cloud Foundry Foundation Cloud Foundry liberado en versiones anteriores a la v245 y cf-mysql liberado anterior a la v31. Una inyección de comando fue descubierta en un script común usado por varios componentes de Cloud Foundry. • http://www.securityfocus.com/bid/93889 https://www.cloudfoundry.org/cve-2016-6655 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •