CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38826 – CVE-2024-38826 Cloud Controller Denial of Service Attack
https://notcve.org/view.php?id=CVE-2024-38826
11 Nov 2024 — Authenticated users can upload specifically crafted files to leak server resources. This behavior can potentially be used to run a denial of service attack against Cloud Controller. The Cloud Foundry project recommends upgrading the following releases: * Upgrade capi release version to 1.194.0 or greater * Upgrade cf-deployment version to v44.1.0 or greater. This includes a patched capi release • https://www.cloudfoundry.org/blog/cve-2024-38826-cloud-controller-denial-of-service-attack • CWE-400: Uncontrolled Resource Consumption •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1003025
https://notcve.org/view.php?id=CVE-2019-1003025
20 Feb 2019 — A exposure of sensitive information vulnerability exists in Jenkins Cloud Foundry Plugin 2.3.1 and earlier in AbstractCloudFoundryPushDescriptor.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Existe una vulnerabilidad de exposición de información sensible en Jenkins Cloud Foundry Plugin, en versiones 2.3.1 y anteriores, en AbstractCloudFoundryPushDes... • http://www.securityfocus.com/bid/107295 • CWE-862: Missing Authorization •
CVSS: 8.1EPSS: 0%CPEs: 5EXPL: 0CVE-2016-3084
https://notcve.org/view.php?id=CVE-2016-3084
25 May 2017 — The UAA reset password flow in Cloud Foundry release v236 and earlier versions, UAA release v3.3.0 and earlier versions, all versions of Login-server, UAA release v10 and earlier versions and Pivotal Elastic Runtime versions prior to 1.7.2 is vulnerable to a brute force attack due to multiple active codes at a given time. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected. El flujo de la contr... • https://pivotal.io/security/cve-2016-3084 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 0%CPEs: 13EXPL: 0CVE-2016-5006
https://notcve.org/view.php?id=CVE-2016-5006
02 May 2017 — The Cloud Controller in Cloud Foundry before 239 logs user-provided service objects at creation, which allows attackers to obtain sensitive user credential information via unspecified vectors. El Cloud Controller en Cloud Foundry versiones anteriores a 239 registra objetos de servicio proporcionados por el usuario durante la creación, lo que permite a los atacantes obtener información sensible de credenciales de usuarios a través de vectores no especificados. • https://pivotal.io/security/cve-2016-5006 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.9EPSS: 0%CPEs: 5EXPL: 0CVE-2016-5016
https://notcve.org/view.php?id=CVE-2016-5016
24 Apr 2017 — Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 12.2 and earlier, PCF (aka Pivotal Cloud Foundry) Elastic Runtime 1.6.x before 1.6.35, and PCF Elastic Runtime 1.7.x before 1.7.13 does not validate if a certificate is expired. Pivotal Cloud Foundry 239 y versiones anteriores, UAA ( también conocido como User Account y Authentication Server) 3.4.1 y versiones anteriores, lanzamiento UAA 12.2 y versiones anteriores, PCF (también conocido co... • https://github.com/cloudfoundry/cf-release/releases/tag/v240 • CWE-295: Improper Certificate Validation •
CVSS: 8.8EPSS: 1%CPEs: 48EXPL: 1CVE-2016-4468
https://notcve.org/view.php?id=CVE-2016-4468
11 Apr 2017 — SQL injection vulnerability in Pivotal Cloud Foundry (PCF) before 238; UAA 2.x before 2.7.4.4, 3.x before 3.3.0.2, and 3.4.x before 3.4.1; UAA BOSH before 11.2 and 12.x before 12.2; Elastic Runtime before 1.6.29 and 1.7.x before 1.7.7; and Ops Manager 1.7.x before 1.7.8 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en Pivotal Cloud Foundry (PCF) en versiones anteriores a 238; UAA 2.x en versiones anteriores a 2.7.4.4, 3.x en vers... • https://github.com/shanika04/cloudfoundry_uaa • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2016-6659
https://notcve.org/view.php?id=CVE-2016-6659
23 Dec 2016 — Cloud Foundry before 248; UAA 2.x before 2.7.4.12, 3.x before 3.6.5, and 3.7.x through 3.9.x before 3.9.3; and UAA bosh release (aka uaa-release) before 13.9 for UAA 3.6.5 and before 24 for UAA 3.9.3 allow attackers to gain privileges by accessing UAA logs and subsequently running a specially crafted application that interacts with a configured SAML provider. Cloud Foundry en versiones anteriores a 248; UAA 2.x en versiones anteriores a 2.7.4.12, 3.x en versiones anteriores a 3.6.5 y 3.7.x hasta la versión ... • http://www.securityfocus.com/bid/95085 • CWE-287: Improper Authentication •
CVSS: 5.3EPSS: 0%CPEs: 97EXPL: 0CVE-2016-6636
https://notcve.org/view.php?id=CVE-2016-6636
30 Sep 2016 — The OAuth authorization implementation in Pivotal Cloud Foundry (PCF) before 242; UAA 2.x before 2.7.4.7, 3.x before 3.3.0.5, and 3.4.x before 3.4.4; UAA BOSH before 11.5 and 12.x before 12.5; Elastic Runtime before 1.6.40, 1.7.x before 1.7.21, and 1.8.x before 1.8.1; and Ops Manager 1.7.x before 1.7.13 and 1.8.x before 1.8.1 mishandles redirect_uri subdomains, which allows remote attackers to obtain implicit access tokens via a modified subdomain. La implementación de autorización OAuth en Pivotal Cloud Fo... • http://www.securityfocus.com/bid/93246 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.6EPSS: 0%CPEs: 97EXPL: 0CVE-2016-6637
https://notcve.org/view.php?id=CVE-2016-6637
30 Sep 2016 — Multiple cross-site request forgery (CSRF) vulnerabilities in Pivotal Cloud Foundry (PCF) before 242; UAA 2.x before 2.7.4.7, 3.x before 3.3.0.5, and 3.4.x before 3.4.4; UAA BOSH before 11.5 and 12.x before 12.5; Elastic Runtime before 1.6.40, 1.7.x before 1.7.21, and 1.8.x before 1.8.2; and Ops Manager 1.7.x before 1.7.13 and 1.8.x before 1.8.1 allow remote attackers to hijack the authentication of unspecified victims for requests that approve or deny a scope via a profile or authorize approval page. Múlti... • http://www.securityfocus.com/bid/93245 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 77EXPL: 0CVE-2016-6651
https://notcve.org/view.php?id=CVE-2016-6651
30 Sep 2016 — The UAA /oauth/token endpoint in Pivotal Cloud Foundry (PCF) before 243; UAA 2.x before 2.7.4.8, 3.x before 3.3.0.6, and 3.4.x before 3.4.5; UAA BOSH before 11.7 and 12.x before 12.6; Elastic Runtime before 1.6.40, 1.7.x before 1.7.21, and 1.8.x before 1.8.2; and Ops Manager 1.7.x before 1.7.13 and 1.8.x before 1.8.1 allows remote authenticated users to gain privileges by leveraging possession of a token. El dispositivo final UAA /oauth/token en Pivotal Cloud Foundry (PCF) en versiones anteriores a 243; UAA... • http://www.securityfocus.com/bid/93241 • CWE-264: Permissions, Privileges, and Access Controls •