Pivotal Software Cloud Foundry Uaa vulnerabilities
32 known vulnerabilities affecting pivotal_software/cloud_foundry_uaa.
Total CVEs
32
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH18MEDIUM9LOW1
Vulnerabilities
Page 1 of 2
CVE-2016-4468P3HIGHCVSS 8.8≤ 3.4.02017-04-11
CVE-2016-4468 [HIGH] CWE-89 CVE-2016-4468: SQL injection vulnerability in Pivotal Cloud Foundry (PCF) before 238; UAA 2.x before 2.7.4.4, 3.x b
SQL injection vulnerability in Pivotal Cloud Foundry (PCF) before 238; UAA 2.x before 2.7.4.4, 3.x before 3.3.0.2, and 3.4.x before 3.4.1; UAA BOSH before 11.2 and 12.x before 12.2; Elastic Runtime before 1.6.29 and 1.7.x before 1.7.7; and Ops Manager 1.7.x before 1.7.8 allows remote authenticated users to execute arbitrary SQL commands via unspecified v
nvd
CVE-2017-4992P3CRITICALCVSS 9.8≤ 4.2.0v2.2.5.4+42 more2017-06-13
CVE-2017-4992 [CRITICAL] CWE-269 CVE-2017-4992: An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v261; UAA release 2
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v261; UAA release 2.x versions prior to v2.7.4.17, 3.6.x versions prior to v3.6.11, 3.9.x versions prior to v3.9.13, and other versions prior to v4.2.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.15, 24.x versions prior to v24.10, 30.x versions prior
nvd
CVE-2018-15761P3HIGHCVSS 8.8fixed in 4.23.02018-11-19
CVE-2018-15761 [HIGH] CVE-2018-15761: Cloud Foundry UAA release, versions prior to v64.0, and UAA, versions prior to 4.23.0, contains a va
Cloud Foundry UAA release, versions prior to v64.0, and UAA, versions prior to 4.23.0, contains a validation error which allows for privilege escalation. A remote authenticated user may modify the url and content of a consent page to gain a token with arbitrary scopes that escalates their privileges.
nvd
CVE-2016-6651P3HIGHCVSS 8.8≤ 3.7.02016-09-30
CVE-2016-6651 [HIGH] CWE-264 CVE-2016-6651: The UAA /oauth/token endpoint in Pivotal Cloud Foundry (PCF) before 243; UAA 2.x before 2.7.4.8, 3.x
The UAA /oauth/token endpoint in Pivotal Cloud Foundry (PCF) before 243; UAA 2.x before 2.7.4.8, 3.x before 3.3.0.6, and 3.4.x before 3.4.5; UAA BOSH before 11.7 and 12.x before 12.6; Elastic Runtime before 1.6.40, 1.7.x before 1.7.21, and 1.8.x before 1.8.2; and Ops Manager 1.7.x before 1.7.13 and 1.8.x before 1.8.1 allows remote authenticated users to
nvd
CVE-2017-4973P3HIGHCVSS 8.8v2.2.5.4v2.7.1+34 more2017-06-13
CVE-2017-4973 [HIGH] CWE-269 CVE-2017-4973: An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v257; UAA release 2
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v257; UAA release 2.x versions prior to v2.7.4.14, 3.6.x versions prior to v3.6.8, 3.9.x versions prior to v3.9.10, and other versions prior to v3.15.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.12, 24.x versions prior to v24.7, and other versions prior
nvd
CVE-2018-1192P3HIGHCVSS 8.8≥ 4.5.0, < 4.5.5≥ 4.7.0, < 4.7.4+1 more2018-02-01
CVE-2018-1192 [HIGH] CWE-200 CVE-2018-1192: In Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7;
In Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3, the SessionID is logged in audit event l
nvd
CVE-2016-3084P3HIGHCVSS 8.1≤ 3.3.02017-05-25
CVE-2016-3084 [HIGH] CWE-264 CVE-2016-3084: The UAA reset password flow in Cloud Foundry release v236 and earlier versions, UAA release v3.3.0 a
The UAA reset password flow in Cloud Foundry release v236 and earlier versions, UAA release v3.3.0 and earlier versions, all versions of Login-server, UAA release v10 and earlier versions and Pivotal Elastic Runtime versions prior to 1.7.2 is vulnerable to a brute force attack due to multiple active codes at a given time. This vulnerability is applicabl
nvd
CVE-2015-3191P3HIGHCVSS 8.8≤ 2.2.62017-05-25
CVE-2015-3191 [HIGH] CWE-352 CVE-2015-3191: With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA Standalone versions 2.2.6 or ear
With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA Standalone versions 2.2.6 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier the change_email form in UAA is vulnerable to a CSRF attack. This allows an attacker to trigger an e-mail change for a user logged into a cloud foundry instance via a malicious link on a attacker con
nvd
CVE-2017-4972P3HIGHCVSS 7.5≤ 3.15.0v2.2.5.4+37 more2017-06-13
CVE-2017-4972 [HIGH] CWE-89 CVE-2017-4972: An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v257; UAA release 2
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v257; UAA release 2.x versions prior to v2.7.4.14, 3.6.x versions prior to v3.6.8, 3.9.x versions prior to v3.9.10, and other versions prior to v3.15.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.12, 24.x versions prior to v24.7, and other versions prior t
nvd
CVE-2016-6637P3CRITICALCVSS 9.6v2.3.0v2.3.1+19 more2016-09-30
CVE-2016-6637 [CRITICAL] CWE-352 CVE-2016-6637: Multiple cross-site request forgery (CSRF) vulnerabilities in Pivotal Cloud Foundry (PCF) before 242
Multiple cross-site request forgery (CSRF) vulnerabilities in Pivotal Cloud Foundry (PCF) before 242; UAA 2.x before 2.7.4.7, 3.x before 3.3.0.5, and 3.4.x before 3.4.4; UAA BOSH before 11.5 and 12.x before 12.5; Elastic Runtime before 1.6.40, 1.7.x before 1.7.21, and 1.8.x before 1.8.2; and Ops Manager 1.7.x before 1.7.13 and 1.8.x before 1.8.1 all
nvd
CVE-2016-6659P3HIGHCVSS 8.1≤ 3.9.22016-12-23
CVE-2016-6659 [HIGH] CWE-287 CVE-2016-6659: Cloud Foundry before 248; UAA 2.x before 2.7.4.12, 3.x before 3.6.5, and 3.7.x through 3.9.x before
Cloud Foundry before 248; UAA 2.x before 2.7.4.12, 3.x before 3.6.5, and 3.7.x through 3.9.x before 3.9.3; and UAA bosh release (aka uaa-release) before 13.9 for UAA 3.6.5 and before 24 for UAA 3.9.3 allow attackers to gain privileges by accessing UAA logs and subsequently running a specially crafted application that interacts with a configured SAML prov
nvd
CVE-2018-11047P3HIGHCVSS 7.5≥ 4.5.0, < 4.5.7≥ 4.7.0, < 4.7.6+3 more2018-07-24
CVE-2018-11047 [HIGH] CWE-863 CVE-2018-11047: Cloud Foundry UAA, versions 4.19 prior to 4.19.2 and 4.12 prior to 4.12.4 and 4.10 prior to 4.10.2 a
Cloud Foundry UAA, versions 4.19 prior to 4.19.2 and 4.12 prior to 4.12.4 and 4.10 prior to 4.10.2 and 4.7 prior to 4.7.6 and 4.5 prior to 4.5.7, incorrectly authorizes requests to admin endpoints by accepting a valid refresh token in lieu of an access token. Refresh tokens by design have a longer expiration time than access tokens, allowing the posse
nvd
CVE-2015-5172P3CRITICALCVSS 9.8fixed in 2.5.22017-10-24
CVE-2015-5172 [CRITICAL] CWE-640 CVE-2015-5172: Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elast
Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire password reset links.
nvd
CVE-2015-5171P3CRITICALCVSS 9.8fixed in 2.5.22017-10-24
CVE-2015-5171 [CRITICAL] CWE-613 CVE-2015-5171: The password change functionality in Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2,
The password change functionality in Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire existing sessions.
nvd
CVE-2018-1262P3HIGHCVSS 7.2v4.12.0v4.12.1+6 more2018-05-15
CVE-2018-1262 [HIGH] CVE-2018-1262: Cloud Foundry Foundation UAA, versions 4.12.X and 4.13.X, introduced a feature which could allow pri
Cloud Foundry Foundation UAA, versions 4.12.X and 4.13.X, introduced a feature which could allow privilege escalation across identity zones for clients performing offline validation. A zone administrator could configure their zone to issue tokens which impersonate another zone, granting up to admin privileges in the impersonated zone for clients performing offl
nvd
CVE-2017-4963P3HIGHCVSS 8.1≥ 2.0.0, ≤ 2.7.4.12≥ 3.0.0, ≤ 3.11.02017-06-13
CVE-2017-4963 [HIGH] CWE-384 CVE-2017-4963: An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions,
An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone release v2.0.0 - v2.7.4.12 & v3.0.0 - v3.11.0, and UAA bosh release v26 & earlier versions. UAA is vulnerable to session fixation when configured to authenticate against external SAML or OpenID Connect based identity providers.
nvd
CVE-2019-11270P3HIGHCVSS 7.5fixed in 73.4.02019-08-05
CVE-2019-11270 [HIGH] CWE-269 CVE-2019-11270: Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possess
Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' and create clients with arbitrary scopes that the creator does not possess.
nvd
CVE-2017-4994P3HIGHCVSS 7.5≤ 4.2.0v2.2.5.4+44 more2017-06-13
CVE-2017-4994 [HIGH] CWE-20 CVE-2017-4994: An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v263; UAA release 2
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v263; UAA release 2.x versions prior to v2.7.4.18, 3.6.x versions prior to v3.6.12, 3.9.x versions prior to v3.9.14, and other versions prior to v4.3.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.16, 24.x versions prior to v24.11, 30.x versions prior to 30
nvd
CVE-2017-4991P3HIGHCVSS 7.2≤ 4.2.0v2.2.5.4+37 more2017-06-13
CVE-2017-4991 [HIGH] CWE-269 CVE-2017-4991: An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v260; UAA release 2
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v260; UAA release 2.x versions prior to v2.7.4.16, 3.6.x versions prior to v3.6.10, 3.9.x versions prior to v3.9.12, and other versions prior to v3.17.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.14, 24.x versions prior to v24.9, 30.x versions prior to 3
nvd
CVE-2017-4974P3MEDIUMCVSS 6.5≤ 4.2.0v2.2.5.4+38 more2017-06-13
CVE-2017-4974 [MEDIUM] CWE-89 CVE-2017-4974: An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v258; UAA release 2
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v258; UAA release 2.x versions prior to v2.7.4.15, 3.6.x versions prior to v3.6.9, 3.9.x versions prior to v3.9.11, and other versions prior to v3.16.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.13, 24.x versions prior to v24.8, and other versions prior
nvd
1 / 2Next →