Vulnerabilities > CVE-2018-15759 - Improper Restriction of Excessive Authentication Attempts vulnerability in Pivotal Software Broker API and on Demand Services SDK

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

pivotal-software

CWE-307

critical

NVD

Published: 2018-11-19

Updated: 2019-10-09

Summary

Pivotal Cloud Foundry On Demand Services SDK, versions prior to 0.24 contain an insecure method of verifying credentials. A remote unauthenticated malicious user may make many requests to the service broker with different credentials, allowing them to infer valid credentials and gain access to perform broker operations.

Vulnerable Configurations

Part	Description	Count
Application	Pivotal_Software Pivotal Software ON Demand Services SDK 0.3.0 Pivotal Software ON Demand Services SDK 0.4.0 Pivotal Software ON Demand Services SDK 0.5.0 Pivotal Software ON Demand Services SDK 0.6.0 Pivotal Software ON Demand Services SDK 0.7.0 Pivotal Software ON Demand Services SDK 0.8.0 Pivotal Software ON Demand Services SDK 0.9.0 Pivotal Software ON Demand Services SDK 0.10.0 Pivotal Software ON Demand Services SDK 0.10.1 Pivotal Software ON Demand Services SDK 0.11.0 Pivotal Software ON Demand Services SDK 0.12.0 Pivotal Software ON Demand Services SDK 0.12.1 Pivotal Software ON Demand Services SDK 0.12.3 Pivotal Software ON Demand Services SDK 0.12.4 Pivotal Software ON Demand Services SDK 0.13.0 Pivotal Software ON Demand Services SDK 0.14.0 Pivotal Software ON Demand Services SDK 0.14.1 Pivotal Software ON Demand Services SDK 0.15.0 Pivotal Software ON Demand Services SDK 0.15.1 Pivotal Software ON Demand Services SDK 0.15.2 Pivotal Software ON Demand Services SDK 0.15.3 Pivotal Software ON Demand Services SDK 0.16.0 Pivotal Software ON Demand Services SDK 0.16.1 Pivotal Software ON Demand Services SDK 0.17.0 Pivotal Software ON Demand Services SDK 0.17.1 Pivotal Software ON Demand Services SDK 0.17.2 Pivotal Software ON Demand Services SDK 0.17.3 Pivotal Software ON Demand Services SDK 0.18.0 Pivotal Software ON Demand Services SDK 0.19.0 Pivotal Software ON Demand Services SDK 0.20.0 Pivotal Software ON Demand Services SDK 0.21.0 Pivotal Software ON Demand Services SDK 0.21.1 Pivotal Software ON Demand Services SDK 0.21.2 Pivotal Software ON Demand Services SDK 0.22.0 Pivotal Software ON Demand Services SDK 0.23.0 Pivotal Software Broker API 1.0.0 Pivotal Software Broker API 2.0.0 Pivotal Software Broker API 2.0.1 Pivotal Software Broker API 2.0.2 Pivotal Software Broker API 2.0.3 Pivotal Software Broker API 2.0.4 Pivotal Software Broker API 2.0.5 Pivotal Software Broker API 3.0.0 Pivotal Software Broker API 3.0.1	56

Common Weakness Enumeration (CWE)

CWE-307 - Improper Restriction of Excessive Authentication Attempts

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References