CVE-2017-2773 — Improper Input Validation in Software Cloud Foundry Elastic Runtime

CWE-20 — Improper Input Validation3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

0.7%

top 28.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pivotal Software Cloud Foundry Elastic Runtime

Timeline

PublishedJun 13

Latest updateMay 17

Description

An issue was discovered in Pivotal PCF Elastic Runtime 1.6.x versions prior to 1.6.60, 1.7.x versions prior to 1.7.41, 1.8.x versions prior to 1.8.23, and 1.9.x versions prior to 1.9.1. Incomplete validation logic in JSON Web Token (JWT) libraries can allow unprivileged attackers to impersonate other users in multiple components included in PCF Elastic Runtime, aka an "Unauthenticated JWT signing algorithm in multiple components" issue.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDpivotal_software/cloud_foundry_elastic_runtime123 versions+122

🔴Vulnerability Details

GHSA

GHSA-q8g2-5223-5rmm: An issue was discovered in Pivotal PCF Elastic Runtime 1↗2022-05-17

▶

CVEList

CVE-2017-2773: An issue was discovered in Pivotal PCF Elastic Runtime 1↗2017-06-13

▶