CVE-2017-4970
https://notcve.org/view.php?id=CVE-2017-4970
An issue was discovered in Cloud Foundry Foundation cf-release v255 and Staticfile buildpack versions v1.4.0 - v1.4.3. A regression introduced in the Static file build pack causes the Staticfile.auth configuration to be ignored when the Static file file is not present in the application root. Applications containing a Staticfile.auth file but not a Static file had their basic auth turned off when an operator upgraded the Static file build pack in the foundation to one of the vulnerable versions. Note that Static file applications without a Static file are technically misconfigured, and will not successfully detect unless the Static file build pack is explicitly specified. Se detectó un problema en cf-release versión v255 y Staticfile buildpack versiones v1.4.0 hasta v1.4.3 de Cloud Foundry Foundation. • https://www.cloudfoundry.org/cve-2017-4970 •
CVE-2017-4974
https://notcve.org/view.php?id=CVE-2017-4974
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v258; UAA release 2.x versions prior to v2.7.4.15, 3.6.x versions prior to v3.6.9, 3.9.x versions prior to v3.9.11, and other versions prior to v3.16.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.13, 24.x versions prior to v24.8, and other versions prior to v30.1. An authorized user can use a blind SQL injection attack to query the contents of the UAA database, aka "Blind SQL Injection with privileged UAA endpoints." Se detectó un problema en cf-release versiones anteriores a v258; UAA release versiones 2.x anteriores a v2.7.4.15, versiones 3.6.x anteriores a v3.6.9, versiones 3.9.x anteriores a v3.9.11, y otras versiones anteriores a v3.16.0; y UAA bosh release (uaa-release) versiones 13.x anteriores a v13.13, versiones 24.x anteriores a v24.8, y otras versiones anteriores a v30.1 de Cloud Foundry Foundation. Un usuario autorizado puede usar un ataque de inyección SQL a ciegas para consultar el contenido de la base de datos UAA, también se conoce como "Blind SQL Injection with privileged UAA endpoints." • http://www.securityfocus.com/bid/99254 https://www.cloudfoundry.org/cve-2017-4974 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2017-4972
https://notcve.org/view.php?id=CVE-2017-4972
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v257; UAA release 2.x versions prior to v2.7.4.14, 3.6.x versions prior to v3.6.8, 3.9.x versions prior to v3.9.10, and other versions prior to v3.15.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.12, 24.x versions prior to v24.7, and other versions prior to v30. An attacker can use a blind SQL injection attack to query the contents of the UAA database. Se detectó un problema en cf-release versiones anteriores a v257; UAA release versiones 2.x anteriores a v2.7.4.14, versiones 3.6.x anteriores a v3.6.8, versiones 3.9.x anteriores a v3.9.10, y otras versiones anteriores a v3.15.0; y UAA bosh release (uaa-release) versiones 13.x anteriores a v13.12, versiones 24.x anteriores a v24.7, y otras versiones anteriores a v30 de Cloud Foundry Foundation. Un atacante puede usar un ataque de inyección de SQL a ciegas para consultar el contenido de la base de datos UAA. • https://www.cloudfoundry.org/cve-2017-4972 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2017-4992
https://notcve.org/view.php?id=CVE-2017-4992
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v261; UAA release 2.x versions prior to v2.7.4.17, 3.6.x versions prior to v3.6.11, 3.9.x versions prior to v3.9.13, and other versions prior to v4.2.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.15, 24.x versions prior to v24.10, 30.x versions prior to 30.3, and other versions prior to v37. There is privilege escalation (arbitrary password reset) with user invitations. Se detectó un problema en cf-release versiones anteriores a 261; UAA release versiones 2.x anteriores a 2.7.4.17, versiones 3.6.x anteriores a 3.6.11, versiones 3.9.x anteriores a 3.9.13, y otras versiones anteriores a 4.2.0; y UAA bosh release (uaa-release) versiones 13.x anteriores a 13.15, versiones 24.x anteriores a 24.10, versiones 30.x anteriores a 30.3 y otras versiones anteriores a 37 de Cloud Foundry Foundation. Se presenta una escalada de privilegios (restablecimiento arbitrario de contraseña) con invitaciones de usuario. • https://www.cloudfoundry.org/cve-2017-4992 • CWE-269: Improper Privilege Management •
CVE-2016-8219
https://notcve.org/view.php?id=CVE-2016-8219
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to 250 and CAPI-release versions prior to 1.12.0. A user with the SpaceAuditor role is over-privileged with the ability to restage applications. This could cause application downtime if the restage fails. Se ha descubierto un problema en Cloud Foundry Foundation cf-release en versiones anteriores a 250 y las versiones CAPI-release anteriores a la 1.12.0. Un usuario con el rol SpaceAuditor tiene demasiados privilegios y la capacidad de realizar una copia intermedia de las aplicaciones. • https://www.cloudfoundry.org/cve-2016-8219 • CWE-269: Improper Privilege Management •