CVE-2017-4973 — Improper Privilege Management in Cloud Foundry UAA Bosh

CWE-269 — Improper Privilege Management4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.3%

top 46.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cloudfoundry Cloud Foundry UAA Bosh Pivotal Software Cloud Foundry CF Pivotal Software Cloud Foundry UAA

Timeline

PublishedJun 13

Latest updateMay 13

Description

An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v257; UAA release 2.x versions prior to v2.7.4.14, 3.6.x versions prior to v3.6.8, 3.9.x versions prior to v3.9.10, and other versions prior to v3.15.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.12, 24.x versions prior to v24.7, and other versions prior to v30. A vulnerability has been identified with the groups endpoint in UAA allowing users to elevate their privileges.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶NVDcloudfoundry/cloud_foundry_uaa_bosh30+21

▶NVDpivotal_software/cloud_foundry_cf256

▶CVEListV5pivotal_software/cloud_foundry_uaaCloud Foundry UAA

▶NVDpivotal_software/cloud_foundry_uaa35 versions+34

🔴Vulnerability Details

GHSA

Cloud Foundry UAA Privilege Escalation↗2022-05-13

▶

OSV

Cloud Foundry UAA Privilege Escalation↗2022-05-13

▶

CVEList

CVE-2017-4973: An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v257; UAA release 2↗2017-06-13

▶