cbcvebase.

Pivotal Software Cloud Foundry Uaa vulnerabilities

32 known vulnerabilities affecting pivotal_software/cloud_foundry_uaa.

Total CVEs
32
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH18MEDIUM9LOW1

Vulnerabilities

Page 2 of 2
CVE-2015-5170P3HIGHCVSS 8.8fixed in 2.5.22017-10-24
CVE-2015-5170 [HIGH] CWE-352 CVE-2015-5170: Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elast Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow remote attackers to conduct cross-site request forgery (CSRF) attacks on PWS and log a user into an arbitrary account by leveraging lack of CSRF checks.
nvd
CVE-2015-5173P4HIGHCVSS 8.8fixed in 2.5.22017-10-24
CVE-2015-5173 [HIGH] CWE-200 CVE-2015-5173: Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elast Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact via vectors involving emails with password recovery links, aka "Cross Domain Referer Leakage."
nvd
CVE-2017-4960P4HIGHCVSS 7.5v3.9.0v3.9.1+9 more2017-03-10
CVE-2017-4960 [HIGH] CVE-2017-4960: An issue was discovered in Cloud Foundry release v247 through v252, UAA stand-alone release v3.9.0 t An issue was discovered in Cloud Foundry release v247 through v252, UAA stand-alone release v3.9.0 through v3.11.0, and UAA Bosh Release v21 through v26. There is a potential to subject the UAA OAuth clients to a denial of service attack.
nvd
CVE-2016-6636P4MEDIUMCVSS 5.3v2.3.0v2.3.1+19 more2016-09-30
CVE-2016-6636 [MEDIUM] CWE-601 CVE-2016-6636: The OAuth authorization implementation in Pivotal Cloud Foundry (PCF) before 242; UAA 2.x before 2.7 The OAuth authorization implementation in Pivotal Cloud Foundry (PCF) before 242; UAA 2.x before 2.7.4.7, 3.x before 3.3.0.5, and 3.4.x before 3.4.4; UAA BOSH before 11.5 and 12.x before 12.5; Elastic Runtime before 1.6.40, 1.7.x before 1.7.21, and 1.8.x before 1.8.1; and Ops Manager 1.7.x before 1.7.13 and 1.8.x before 1.8.1 mishandles redirect_uri s
nvd
CVE-2017-8032P4MEDIUMCVSS 6.6v2.2.5.4v2.7.1+45 more2017-07-10
CVE-2017-8032 [MEDIUM] CWE-269 CVE-2017-8032: In Cloud Foundry cf-release versions prior to v264; UAA release all versions of UAA v2.x.x, 3.6.x ve In Cloud Foundry cf-release versions prior to v264; UAA release all versions of UAA v2.x.x, 3.6.x versions prior to v3.6.13, 3.9.x versions prior to v3.9.15, 3.20.x versions prior to v3.20.0, and other versions prior to v4.4.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.17, 24.x versions prior to v24.12. 30.x versions prior to 30.5,
nvd
CVE-2016-5016P4MEDIUMCVSS 5.9≤ 3.4.12017-04-24
CVE-2016-5016 [MEDIUM] CWE-295 CVE-2016-5016: Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and ea Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 12.2 and earlier, PCF (aka Pivotal Cloud Foundry) Elastic Runtime 1.6.x before 1.6.35, and PCF Elastic Runtime 1.7.x before 1.7.13 does not validate if a certificate is expired.
nvd
CVE-2018-11041P4MEDIUMCVSS 6.1fixed in 4.7.5fixed in 4.10.1+1 more2018-06-25
CVE-2018-11041 [MEDIUM] CWE-601 CVE-2018-11041: Cloud Foundry UAA, versions later than 4.6.0 and prior to 4.19.0 except 4.10.1 and 4.7.5 and uaa-rel Cloud Foundry UAA, versions later than 4.6.0 and prior to 4.19.0 except 4.10.1 and 4.7.5 and uaa-release versions later than v48 and prior to v60 except v55.1 and v52.9, does not validate redirect URL values on a form parameter used for internal UAA redirects on the login page, allowing open redirects. A remote attacker can craft a malicious link th
nvd
CVE-2016-0781P4MEDIUMCVSS 6.1≤ 2.7.4.1v3.0.0+3 more2017-05-25
CVE-2016-0781 [MEDIUM] CWE-79 CVE-2016-0781: The UAA OAuth approval pages in Cloud Foundry v208 to v231, Login-server v1.6 to v1.14, UAA v2.0.0 t The UAA OAuth approval pages in Cloud Foundry v208 to v231, Login-server v1.6 to v1.14, UAA v2.0.0 to v2.7.4.1, UAA v3.0.0 to v3.2.0, UAA-Release v2 to v7 and Pivotal Elastic Runtime 1.6.x versions prior to 1.6.20 are vulnerable to an XSS attack by specifying malicious java script content in either the OAuth scopes (SCIM groups) or SCIM group descripti
nvd
CVE-2015-3190P4MEDIUMCVSS 6.1≤ 2.2.62017-05-25
CVE-2015-3190 [MEDIUM] CWE-601 CVE-2015-3190: With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA Standalone versions 2.2.6 or ear With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA Standalone versions 2.2.6 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier the UAA logout link is susceptible to an open redirect which allows an attacker to insert malicious web page as a redirect parameter.
nvd
CVE-2019-3794P4MEDIUMCVSS 5.4fixed in 73.4.02019-07-18
CVE-2019-3794 [MEDIUM] CWE-284 CVE-2019-3794: Cloud Foundry UAA, versions prior to v73.4.0, does not set an X-FRAME-OPTIONS header on various endp Cloud Foundry UAA, versions prior to v73.4.0, does not set an X-FRAME-OPTIONS header on various endpoints. A remote user can perform clickjacking attacks on UAA's frontend sites.
nvd
CVE-2019-11282P4MEDIUMCVSS 4.3fixed in 74.3.02019-10-23
CVE-2019-11282 [MEDIUM] CWE-200 CVE-2019-11282: Cloud Foundry UAA, versions prior to v74.3.0, contains an endpoint that is vulnerable to SCIM inject Cloud Foundry UAA, versions prior to v74.3.0, contains an endpoint that is vulnerable to SCIM injection attack. A remote authenticated malicious user with scim.invite scope can craft a request with malicious content which can leak information about users of the UAA.
nvd
CVE-2015-3189P4LOWCVSS 3.7≤ 2.2.52017-05-25
CVE-2015-3189 [LOW] CWE-640 CVE-2015-3189: With Cloud Foundry Runtime cf-release versions v208 or earlier, UAA Standalone versions 2.2.5 or ear With Cloud Foundry Runtime cf-release versions v208 or earlier, UAA Standalone versions 2.2.5 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier, old Password Reset Links are not expired after the user changes their current email address to a new one. This vulnerability is applicable only when using the UAA internal user store for authenticati
nvd
Pivotal Software Cloud Foundry Uaa vulnerabilities | cvebase