CVE-2015-3191 — Cross-Site Request Forgery in Cf-release

CWE-352 — Cross-Site Request Forgery3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.1%

top 69.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cloudfoundry Cf-release Pivotal Software Cloud Foundry Elastic Runtime Pivotal Software Cloud Foundry UAA +1 more

Timeline

PublishedMay 25

Latest updateMay 13

Description

With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA Standalone versions 2.2.6 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier the change_email form in UAA is vulnerable to a CSRF attack. This allows an attacker to trigger an e-mail change for a user logged into a cloud foundry instance via a malicious link on a attacker controlled site. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integratio…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶NVDpivotal_software/cloud_foundry_elastic_runtime1.4.5

▶NVDcloudfoundry/cf-release209

▶NVDpivotal_software/cloud_foundry_uaa2.2.6

▶CVEListV5pivotal/cloud_foundryRuntime 1.4.5 or earlier, Runtime cf-release versions v209 or earlier, UAA Standalone versions 2.2.6 or earlier+2

🔴Vulnerability Details

GHSA

GHSA-442q-44xh-2275: With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA Standalone versions 2↗2022-05-13

▶

CVEList

CVE-2015-3191: With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA Standalone versions 2↗2017-05-25

▶