CVSS: 6.5EPSS: 0%CPEs: 64EXPL: 0CVE-2017-4974
https://notcve.org/view.php?id=CVE-2017-4974
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v258; UAA release 2.x versions prior to v2.7.4.15, 3.6.x versions prior to v3.6.9, 3.9.x versions prior to v3.9.11, and other versions prior to v3.16.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.13, 24.x versions prior to v24.8, and other versions prior to v30.1. An authorized user can use a blind SQL injection attack to query the contents of the UAA database, aka "Blind SQL Injection with privileged UAA endpoints." Se detectó un problema en cf-release versiones anteriores a v258; UAA release versiones 2.x anteriores a v2.7.4.15, versiones 3.6.x anteriores a v3.6.9, versiones 3.9.x anteriores a v3.9.11, y otras versiones anteriores a v3.16.0; y UAA bosh release (uaa-release) versiones 13.x anteriores a v13.13, versiones 24.x anteriores a v24.8, y otras versiones anteriores a v30.1 de Cloud Foundry Foundation. Un usuario autorizado puede usar un ataque de inyección SQL a ciegas para consultar el contenido de la base de datos UAA, también se conoce como "Blind SQL Injection with privileged UAA endpoints." • http://www.securityfocus.com/bid/99254 https://www.cloudfoundry.org/cve-2017-4974 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 62EXPL: 0CVE-2017-4972
https://notcve.org/view.php?id=CVE-2017-4972
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v257; UAA release 2.x versions prior to v2.7.4.14, 3.6.x versions prior to v3.6.8, 3.9.x versions prior to v3.9.10, and other versions prior to v3.15.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.12, 24.x versions prior to v24.7, and other versions prior to v30. An attacker can use a blind SQL injection attack to query the contents of the UAA database. Se detectó un problema en cf-release versiones anteriores a v257; UAA release versiones 2.x anteriores a v2.7.4.14, versiones 3.6.x anteriores a v3.6.8, versiones 3.9.x anteriores a v3.9.10, y otras versiones anteriores a v3.15.0; y UAA bosh release (uaa-release) versiones 13.x anteriores a v13.12, versiones 24.x anteriores a v24.7, y otras versiones anteriores a v30 de Cloud Foundry Foundation. Un atacante puede usar un ataque de inyección de SQL a ciegas para consultar el contenido de la base de datos UAA. • https://www.cloudfoundry.org/cve-2017-4972 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 73EXPL: 0CVE-2017-4992
https://notcve.org/view.php?id=CVE-2017-4992
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v261; UAA release 2.x versions prior to v2.7.4.17, 3.6.x versions prior to v3.6.11, 3.9.x versions prior to v3.9.13, and other versions prior to v4.2.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.15, 24.x versions prior to v24.10, 30.x versions prior to 30.3, and other versions prior to v37. There is privilege escalation (arbitrary password reset) with user invitations. Se detectó un problema en cf-release versiones anteriores a 261; UAA release versiones 2.x anteriores a 2.7.4.17, versiones 3.6.x anteriores a 3.6.11, versiones 3.9.x anteriores a 3.9.13, y otras versiones anteriores a 4.2.0; y UAA bosh release (uaa-release) versiones 13.x anteriores a 13.15, versiones 24.x anteriores a 24.10, versiones 30.x anteriores a 30.3 y otras versiones anteriores a 37 de Cloud Foundry Foundation. Se presenta una escalada de privilegios (restablecimiento arbitrario de contraseña) con invitaciones de usuario. • https://www.cloudfoundry.org/cve-2017-4992 • CWE-269: Improper Privilege Management •
CVSS: 6.5EPSS: 0%CPEs: 22EXPL: 0CVE-2016-2165
https://notcve.org/view.php?id=CVE-2016-2165
The Loggregator Traffic Controller endpoints in cf-release v231 and lower, Pivotal Elastic Runtime versions prior to 1.5.19 AND 1.6.x versions prior to 1.6.20 are not cleansing request URL paths when they are invalid and are returning them in the 404 response. This could allow malicious scripts to be written directly into the 404 response. Los endpoints de Loggregator Traffic Controller en cf-release versiones v231 e inferiores, Pivotal Elastic Runtime anteriores a 1.5.19 y versiones 1.6.x anteriores a 1.6.20, no están limpiando las rutas (path) URL de petición cuando no son válidas y son devueltas en la respuesta 404 . Esto podría permitir que los scripts maliciosos se escriban directamente en la respuesta 404. • https://pivotal.io/security/cve-2016-2165 • CWE-20: Improper Input Validation •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-4969
https://notcve.org/view.php?id=CVE-2017-4969
The Cloud Controller in Cloud Foundry cf-release versions prior to v255 allows authenticated developer users to exceed memory and disk quotas for tasks. El Cloud Controller en Cloud Foundry cf-release en versiones anteriores a v255 permiten a los usuarios de desarrolladores autenticados superar las cuotas de memoria y disco para las tareas. • https://www.cloudfoundry.org/cve-2017-4969 •