CVSS: 9.6EPSS: 0%CPEs: 4EXPL: 0CVE-2016-6658
https://notcve.org/view.php?id=CVE-2016-6658
Applications in cf-release before 245 can be configured and pushed with a user-provided custom buildpack using a URL pointing to the buildpack. Although it is not recommended, a user can specify a credential in the URL (basic auth or OAuth) to access the buildpack through the CLI. For example, the user could include a GitHub username and password in the URL to access a private repo. Because the URL to access the buildpack is stored unencrypted, an operator with privileged access to the Cloud Controller database could view these credentials. Applications en cf-release, en versiones anteriores a la 245, puede configurarse e insertarse con un buildpack personalizado proporcionado por el usuario mediante una URL que señale al buildpack. • https://pivotal.io/security/cve-2016-6658 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2015-5170
https://notcve.org/view.php?id=CVE-2015-5170
Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow remote attackers to conduct cross-site request forgery (CSRF) attacks on PWS and log a user into an arbitrary account by leveraging lack of CSRF checks. Cloud Foundry Runtime cf-release en versiones anteriores a la 216, UAA en versiones anteriores a la 2.5.2 y Pivotal Cloud Foundry (PCF) Elastic Runtime en versiones anteriores a la 1.7.0 permite que atacantes remotos realicen ataques Cross-Site Request Forgery (CSRF) en PWS y registren un usuario en una cuenta arbitraria aprovechándose de la falta de chequeos contra CSRF. • http://www.securityfocus.com/bid/101579 https://pivotal.io/security/cve-2015-5170-5173 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2015-5173
https://notcve.org/view.php?id=CVE-2015-5173
Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact via vectors involving emails with password recovery links, aka "Cross Domain Referer Leakage." Cloud Foundry Runtime cf-release en versiones anteriores a la 216, UAA en versiones anteriores a la 2.5.2 y Pivotal Cloud Foundry (PCF) Elastic Runtime en versiones anteriores a la 1.7.0 permite que los atacantes causen un impacto no especificado mediante vectores que involucren emails con enlaces de recuperación de contraseñas. Esta vulnerabilidad también se conoce como "Cross Domain Referer Leakage". • https://pivotal.io/security/cve-2015-5170-5173 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2015-5171
https://notcve.org/view.php?id=CVE-2015-5171
The password change functionality in Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire existing sessions. La funcionalidad de cambio de contraseña en Cloud Foundry Runtime cf-release en versiones anteriores a la 216, UAA en versiones anteriores a la 2.5.2 y Pivotal Cloud Foundry (PCF) Elastic Runtime en versiones anteriores a la 1.7.0 permite que los atacantes causen un impacto no especificado aprovechando que no caducan las sesiones existentes. • https://pivotal.io/security/cve-2015-5170-5173 • CWE-613: Insufficient Session Expiration •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2015-5172
https://notcve.org/view.php?id=CVE-2015-5172
Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire password reset links. Cloud Foundry Runtime cf-release en versiones anteriores a la 216, UAA en versiones anteriores a la 2.5.2 y Pivotal Cloud Foundry (PCF) Elastic Runtime en versiones anteriores a la 1.7.0 permite que atacantes causen un impacto no especificado aprovechando que no caducan los enlaces de reinicio de contraseña. • https://pivotal.io/security/cve-2015-5170-5173 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •