CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2017-8047
https://notcve.org/view.php?id=CVE-2017-8047
03 Oct 2017 — In Cloud Foundry router routing-release all versions prior to v0.163.0 and cf-release all versions prior to v274, in some applications, it is possible to append a combination of characters to the URL that will allow for an open redirect. An attacker could exploit this as a phishing attack to gain access to user credentials or other sensitive data. NOTE: 274 resolves the vulnerability but has a serious bug that is fixed in 275. En todas las versiones anteriores a la 0.163.0 del desarrollo routing-release y e... • https://www.cloudfoundry.org/cve-2017-8047 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.8EPSS: 0%CPEs: 51EXPL: 0CVE-2016-0732
https://notcve.org/view.php?id=CVE-2016-0732
07 Sep 2017 — The identity zones feature in Pivotal Cloud Foundry 208 through 229; UAA 2.0.0 through 2.7.3 and 3.0.0; UAA-Release 2 through 4, when configured with multiple identity zones; and Elastic Runtime 1.6.0 through 1.6.13 allows remote authenticated users with privileges in one zone to gain privileges and perform operations on a different zone via unspecified vectors. La característica de zonas de identidad en Pivotal Cloud Foundry 208 a 229; UAA 2.0.0 a 2.7.3 y 3.0.0; UAA-Release 2 hasta la 4, cuando se configur... • https://pivotal.io/security/cve-2016-0732 • CWE-269: Improper Privilege Management •
CVSS: 4.7EPSS: 0%CPEs: 88EXPL: 0CVE-2016-0713
https://notcve.org/view.php?id=CVE-2016-0713
31 Aug 2017 — Gorouter in Cloud Foundry cf-release v141 through v228 allows man-in-the-middle attackers to conduct cross-site scripting (XSS) attacks via vectors related to modified requests. Gorouter en Cloud Foundry cf-release v141 a v228 permite que los atacantes Man-in-the-Middle (MitM) realicen ataques Cross-Site Scripting (XSS) mediante vectores relacionados con peticiones modificadas. • https://bosh.io/releases/github.com/cloudfoundry/cf-release?version=229 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 56EXPL: 0CVE-2017-8037
https://notcve.org/view.php?id=CVE-2017-8037
21 Aug 2017 — In Cloud Foundry Foundation CAPI-release versions after v1.6.0 and prior to v1.38.0 and cf-release versions after v244 and prior to v270, there is an incomplete fix for CVE-2017-8035. If you took steps to remediate CVE-2017-8035 you should also upgrade to fix this CVE. A carefully crafted CAPI request from a Space Developer can allow them to gain access to files on the Cloud Controller VM for that installation, aka an Information Leak / Disclosure. En Cloud Foundry Foundation CAPI-release en versiones poste... • http://www.securityfocus.com/bid/100448 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2017-8033
https://notcve.org/view.php?id=CVE-2017-8033
25 Jul 2017 — An issue was discovered in the Cloud Controller API in Cloud Foundry Foundation CAPI-release versions prior to v1.35.0 and cf-release versions prior to v268. A filesystem traversal vulnerability exists in the Cloud Controller that allows a space developer to escalate privileges by pushing a specially crafted application that can write arbitrary files to the Cloud Controller VM. Se ha descubierto en la API Cloud Controller en Cloud Foundry Foundation CAPI-release en versiones anteriores a 1.35.0 y las versio... • https://www.cloudfoundry.org/cve-2017-8033 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2017-8035
https://notcve.org/view.php?id=CVE-2017-8035
25 Jul 2017 — An issue was discovered in the Cloud Controller API in Cloud Foundry Foundation CAPI-release versions after v1.6.0 and prior to v1.35.0 and cf-release versions after v244 and prior to v268. A carefully crafted CAPI request from a Space Developer can allow them to gain access to files on the Cloud Controller VM for that installation. Se ha descubierto en la API Cloud Controller en Cloud Foundry Foundation CAPI-release en versiones posteriores a 1.6.0 y anteriores a 1.35.0 y las versiones cf-release posterior... • https://www.cloudfoundry.org/cve-2017-8035 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-8036
https://notcve.org/view.php?id=CVE-2017-8036
24 Jul 2017 — An issue was discovered in the Cloud Controller API in Cloud Foundry Foundation CAPI-release version 1.33.0 (only). The original fix for CVE-2017-8033 included in CAPI-release 1.33.0 introduces a regression that allows a space developer to execute arbitrary code on the Cloud Controller VM by pushing a specially crafted application. Se ha descubierto un problema en la API Cloud Controller en Cloud Foundry Foundation CAPI-release 1.33.0. La solución original para CVE-2017-8033 en CAPI-release 1.33.0 introduce... • http://www.securityfocus.com/bid/100002 •
CVSS: 6.6EPSS: 0%CPEs: 3EXPL: 0CVE-2017-8034
https://notcve.org/view.php?id=CVE-2017-8034
17 Jul 2017 — The Cloud Controller and Router in Cloud Foundry (CAPI-release capi versions prior to v1.32.0, Routing-release versions prior to v0.159.0, CF-release versions prior to v267) do not validate the issuer on JSON Web Tokens (JWTs) from UAA. With certain multi-zone UAA configurations, zone administrators are able to escalate their privileges. El controlador y el enrutador de nube en Cloud Foundry (publicación de CAPI versiones de capi anteriores a v1.32.0, publicación de enrutamiento versión anterior a v0.159.0,... • https://www.cloudfoundry.org/cve-2017-8034 • CWE-565: Reliance on Cookies without Validation and Integrity Checking •
CVSS: 6.6EPSS: 0%CPEs: 81EXPL: 0CVE-2017-8032
https://notcve.org/view.php?id=CVE-2017-8032
10 Jul 2017 — In Cloud Foundry cf-release versions prior to v264; UAA release all versions of UAA v2.x.x, 3.6.x versions prior to v3.6.13, 3.9.x versions prior to v3.9.15, 3.20.x versions prior to v3.20.0, and other versions prior to v4.4.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.17, 24.x versions prior to v24.12. 30.x versions prior to 30.5, and other versions prior to v41, zone administrators are allowed to escalate their privileges when mapping permissions for an external provider. En cf-release... • https://www.cloudfoundry.org/cve-2017-8032 • CWE-269: Improper Privilege Management •
CVSS: 6.5EPSS: 0%CPEs: 64EXPL: 0CVE-2017-4974
https://notcve.org/view.php?id=CVE-2017-4974
13 Jun 2017 — An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v258; UAA release 2.x versions prior to v2.7.4.15, 3.6.x versions prior to v3.6.9, 3.9.x versions prior to v3.9.11, and other versions prior to v3.16.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.13, 24.x versions prior to v24.8, and other versions prior to v30.1. An authorized user can use a blind SQL injection attack to query the contents of the UAA database, aka "Blind SQL Injection with privileged UAA end... • http://www.securityfocus.com/bid/99254 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •