CVSS: 5.9EPSS: 0%CPEs: 5EXPL: 0CVE-2017-4970
https://notcve.org/view.php?id=CVE-2017-4970
An issue was discovered in Cloud Foundry Foundation cf-release v255 and Staticfile buildpack versions v1.4.0 - v1.4.3. A regression introduced in the Static file build pack causes the Staticfile.auth configuration to be ignored when the Static file file is not present in the application root. Applications containing a Staticfile.auth file but not a Static file had their basic auth turned off when an operator upgraded the Static file build pack in the foundation to one of the vulnerable versions. Note that Static file applications without a Static file are technically misconfigured, and will not successfully detect unless the Static file build pack is explicitly specified. Se detectó un problema en cf-release versión v255 y Staticfile buildpack versiones v1.4.0 hasta v1.4.3 de Cloud Foundry Foundation. • https://www.cloudfoundry.org/cve-2017-4970 •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2015-3191
https://notcve.org/view.php?id=CVE-2015-3191
With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA Standalone versions 2.2.6 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier the change_email form in UAA is vulnerable to a CSRF attack. This allows an attacker to trigger an e-mail change for a user logged into a cloud foundry instance via a malicious link on a attacker controlled site. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected. En Cloud Foundry Runtime versiones v209 y anteriores, UAA Standalone versiones 2.2.6 o anteriores y Pivotal Cloud Foundry Runtime, versiones 1.4.5 o anteriores, el formulario change_email en UAA es vulnerable a un ataque de tipo CSFR. • https://pivotal.io/security/cve-2015-3191 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 36EXPL: 0CVE-2016-0780
https://notcve.org/view.php?id=CVE-2016-0780
It was discovered that cf-release v231 and lower, Pivotal Cloud Foundry Elastic Runtime 1.5.x versions prior to 1.5.17 and Pivotal Cloud Foundry Elastic Runtime 1.6.x versions prior to 1.6.18 do not properly enforce disk quotas in certain cases. An attacker could use an improper disk quota value to bypass enforcement and consume all the disk on DEAs/CELLs causing a potential denial of service for other applications. Se detectó que cf-release versión v231 e inferior, Pivotal Cloud Foundry Elastic Runtime versiones 1.5.x anteriores a 1.5.17 y Pivotal Cloud Foundry Elastic Runtime versiones 1.6.x anteriores a 1.6.18, no hacen cumplir las cuotas de disco apropiadamente en ciertos casos. Un atacante podría usar un valor de cuota de disco inapropiado para omitir la ejecución y consumo de todo el disco en DEAs/CELLs, causando una potencial denegación de servicio para otras aplicaciones. • https://pivotal.io/security/cve-2016-0780 • CWE-399: Resource Management Errors •
CVSS: 6.5EPSS: 0%CPEs: 22EXPL: 0CVE-2016-2165
https://notcve.org/view.php?id=CVE-2016-2165
The Loggregator Traffic Controller endpoints in cf-release v231 and lower, Pivotal Elastic Runtime versions prior to 1.5.19 AND 1.6.x versions prior to 1.6.20 are not cleansing request URL paths when they are invalid and are returning them in the 404 response. This could allow malicious scripts to be written directly into the 404 response. Los endpoints de Loggregator Traffic Controller en cf-release versiones v231 e inferiores, Pivotal Elastic Runtime anteriores a 1.5.19 y versiones 1.6.x anteriores a 1.6.20, no están limpiando las rutas (path) URL de petición cuando no son válidas y son devueltas en la respuesta 404 . Esto podría permitir que los scripts maliciosos se escriban directamente en la respuesta 404. • https://pivotal.io/security/cve-2016-2165 • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2015-3190
https://notcve.org/view.php?id=CVE-2015-3190
With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA Standalone versions 2.2.6 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier the UAA logout link is susceptible to an open redirect which allows an attacker to insert malicious web page as a redirect parameter. En Cloud Foundry Runtime versiones v209 o anteriores, UAA Standalone versiones 2.2.6 o ateriores y Pivotal Cloud Foundry Runtime versiones 1.4.5 o anteriores, el enlace del UAA logout es susceptible a una redirección abierta que permitiría a un atacante insertar páginas web maliciosas en un parámetro de redirección. • https://pivotal.io/security/cve-2015-3190 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •