CVSS: 9.6EPSS: 0%CPEs: 4EXPL: 0CVE-2016-6658
https://notcve.org/view.php?id=CVE-2016-6658
29 Mar 2018 — Applications in cf-release before 245 can be configured and pushed with a user-provided custom buildpack using a URL pointing to the buildpack. Although it is not recommended, a user can specify a credential in the URL (basic auth or OAuth) to access the buildpack through the CLI. For example, the user could include a GitHub username and password in the URL to access a private repo. Because the URL to access the buildpack is stored unencrypted, an operator with privileged access to the Cloud Controller data... • https://pivotal.io/security/cve-2016-6658 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2015-5170
https://notcve.org/view.php?id=CVE-2015-5170
24 Oct 2017 — Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow remote attackers to conduct cross-site request forgery (CSRF) attacks on PWS and log a user into an arbitrary account by leveraging lack of CSRF checks. Cloud Foundry Runtime cf-release en versiones anteriores a la 216, UAA en versiones anteriores a la 2.5.2 y Pivotal Cloud Foundry (PCF) Elastic Runtime en versiones anteriores a la 1.7.0 permite que atacantes remotos realicen ata... • http://www.securityfocus.com/bid/101579 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2015-5171
https://notcve.org/view.php?id=CVE-2015-5171
24 Oct 2017 — The password change functionality in Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire existing sessions. La funcionalidad de cambio de contraseña en Cloud Foundry Runtime cf-release en versiones anteriores a la 216, UAA en versiones anteriores a la 2.5.2 y Pivotal Cloud Foundry (PCF) Elastic Runtime en versiones anteriores a la 1.7.0 permite que los atacantes ... • https://pivotal.io/security/cve-2015-5170-5173 • CWE-613: Insufficient Session Expiration •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2015-5172
https://notcve.org/view.php?id=CVE-2015-5172
24 Oct 2017 — Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire password reset links. Cloud Foundry Runtime cf-release en versiones anteriores a la 216, UAA en versiones anteriores a la 2.5.2 y Pivotal Cloud Foundry (PCF) Elastic Runtime en versiones anteriores a la 1.7.0 permite que atacantes causen un impacto no especificado aprovechando que no caducan los enlaces de reini... • https://pivotal.io/security/cve-2015-5170-5173 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2015-5173
https://notcve.org/view.php?id=CVE-2015-5173
24 Oct 2017 — Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact via vectors involving emails with password recovery links, aka "Cross Domain Referer Leakage." Cloud Foundry Runtime cf-release en versiones anteriores a la 216, UAA en versiones anteriores a la 2.5.2 y Pivotal Cloud Foundry (PCF) Elastic Runtime en versiones anteriores a la 1.7.0 permite que los atacantes causen un impacto no especificado med... • https://pivotal.io/security/cve-2015-5170-5173 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 123EXPL: 0CVE-2017-2773
https://notcve.org/view.php?id=CVE-2017-2773
13 Jun 2017 — An issue was discovered in Pivotal PCF Elastic Runtime 1.6.x versions prior to 1.6.60, 1.7.x versions prior to 1.7.41, 1.8.x versions prior to 1.8.23, and 1.9.x versions prior to 1.9.1. Incomplete validation logic in JSON Web Token (JWT) libraries can allow unprivileged attackers to impersonate other users in multiple components included in PCF Elastic Runtime, aka an "Unauthenticated JWT signing algorithm in multiple components" issue. Se ha descubierto un problema en Pivotal PCF Elastic Runtime en version... • http://www.securityfocus.com/bid/97135 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 143EXPL: 0CVE-2017-4955
https://notcve.org/view.php?id=CVE-2017-4955
13 Jun 2017 — An issue was discovered in Pivotal PCF Elastic Runtime 1.6.x versions prior to 1.6.65, 1.7.x versions prior to 1.7.48, 1.8.x versions prior to 1.8.28, and 1.9.x versions prior to 1.9.5. Several credentials were present in the logs for the Notifications errand in the PCF Elastic Runtime tile. Se detectó un problema en las versiones de PCF Elastic Runtime de Pivotal versiones 1.6.x anteriores a 1.6.65, versiones 1.7.x anteriores a 1.7.48, versiones 1.8.x anteriores a 1.8.28 y versiones 1.9.x anteriores a 1.9.... • http://www.securityfocus.com/bid/97082 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 8.1EPSS: 0%CPEs: 5EXPL: 0CVE-2016-3084
https://notcve.org/view.php?id=CVE-2016-3084
25 May 2017 — The UAA reset password flow in Cloud Foundry release v236 and earlier versions, UAA release v3.3.0 and earlier versions, all versions of Login-server, UAA release v10 and earlier versions and Pivotal Elastic Runtime versions prior to 1.7.2 is vulnerable to a brute force attack due to multiple active codes at a given time. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected. El flujo de la contr... • https://pivotal.io/security/cve-2016-3084 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 0%CPEs: 13EXPL: 0CVE-2016-5006
https://notcve.org/view.php?id=CVE-2016-5006
02 May 2017 — The Cloud Controller in Cloud Foundry before 239 logs user-provided service objects at creation, which allows attackers to obtain sensitive user credential information via unspecified vectors. El Cloud Controller en Cloud Foundry versiones anteriores a 239 registra objetos de servicio proporcionados por el usuario durante la creación, lo que permite a los atacantes obtener información sensible de credenciales de usuarios a través de vectores no especificados. • https://pivotal.io/security/cve-2016-5006 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.9EPSS: 0%CPEs: 5EXPL: 0CVE-2016-5016
https://notcve.org/view.php?id=CVE-2016-5016
24 Apr 2017 — Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 12.2 and earlier, PCF (aka Pivotal Cloud Foundry) Elastic Runtime 1.6.x before 1.6.35, and PCF Elastic Runtime 1.7.x before 1.7.13 does not validate if a certificate is expired. Pivotal Cloud Foundry 239 y versiones anteriores, UAA ( también conocido como User Account y Authentication Server) 3.4.1 y versiones anteriores, lanzamiento UAA 12.2 y versiones anteriores, PCF (también conocido co... • https://github.com/cloudfoundry/cf-release/releases/tag/v240 • CWE-295: Improper Certificate Validation •