Vulnerabilities > Cloudfoundry

DATE CVE VULNERABILITY TITLE RISK
2017-05-25 CVE-2016-0781 Cross-site Scripting vulnerability in multiple products
The UAA OAuth approval pages in Cloud Foundry v208 to v231, Login-server v1.6 to v1.14, UAA v2.0.0 to v2.7.4.1, UAA v3.0.0 to v3.2.0, UAA-Release v2 to v7 and Pivotal Elastic Runtime 1.6.x versions prior to 1.6.20 are vulnerable to an XSS attack by specifying malicious java script content in either the OAuth scopes (SCIM groups) or SCIM group descriptions.
network
low complexity
pivotal-software cloudfoundry CWE-79
6.1
2017-05-25 CVE-2016-0780 Resource Management Errors vulnerability in multiple products
It was discovered that cf-release v231 and lower, Pivotal Cloud Foundry Elastic Runtime 1.5.x versions prior to 1.5.17 and Pivotal Cloud Foundry Elastic Runtime 1.6.x versions prior to 1.6.18 do not properly enforce disk quotas in certain cases.
network
low complexity
pivotal-software cloudfoundry CWE-399
7.5
2017-05-25 CVE-2016-0761 Data Processing Errors vulnerability in multiple products
Cloud Foundry Garden-Linux versions prior to v0.333.0 and Elastic Runtime 1.6.x version prior to 1.6.17 contain a flaw in managing container files during Docker image preparation that could be used to delete, corrupt or overwrite host files and directories, including other container filesystems on the host.
network
low complexity
pivotal-software cloudfoundry CWE-19
critical
9.8
2017-05-25 CVE-2015-3191 Cross-Site Request Forgery (CSRF) vulnerability in multiple products
With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA Standalone versions 2.2.6 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier the change_email form in UAA is vulnerable to a CSRF attack.
network
low complexity
pivotal-software cloudfoundry CWE-352
8.8
2017-05-25 CVE-2015-3190 Open Redirect vulnerability in multiple products
With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA Standalone versions 2.2.6 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier the UAA logout link is susceptible to an open redirect which allows an attacker to insert malicious web page as a redirect parameter.
network
low complexity
pivotal-software cloudfoundry CWE-601
6.1
2017-05-25 CVE-2015-3189 Weak Password Recovery Mechanism for Forgotten Password vulnerability in multiple products
With Cloud Foundry Runtime cf-release versions v208 or earlier, UAA Standalone versions 2.2.5 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier, old Password Reset Links are not expired after the user changes their current email address to a new one.
network
high complexity
pivotal-software cloudfoundry CWE-640
3.7
2017-05-25 CVE-2015-1834 Path Traversal vulnerability in multiple products
A path traversal vulnerability was identified in the Cloud Foundry component Cloud Controller that affects cf-release versions prior to v208 and Pivotal Cloud Foundry Elastic Runtime versions prior to 1.4.2.
network
low complexity
pivotal-software cloudfoundry CWE-22
6.5
2017-04-20 CVE-2017-4969 Unspecified vulnerability in Cloudfoundry Cf-Release
The Cloud Controller in Cloud Foundry cf-release versions prior to v255 allows authenticated developer users to exceed memory and disk quotas for tasks.
network
low complexity
cloudfoundry
6.5
2017-04-11 CVE-2016-4468 SQL Injection vulnerability in multiple products
SQL injection vulnerability in Pivotal Cloud Foundry (PCF) before 238; UAA 2.x before 2.7.4.4, 3.x before 3.3.0.2, and 3.4.x before 3.4.1; UAA BOSH before 11.2 and 12.x before 12.2; Elastic Runtime before 1.6.29 and 1.7.x before 1.7.7; and Ops Manager 1.7.x before 1.7.8 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
network
low complexity
pivotal-software cloudfoundry CWE-89
8.8
2017-04-06 CVE-2017-4964 Code Injection vulnerability in Cloudfoundry Bosh Azure CPI 22
Cloud Foundry Foundation BOSH Azure CPI v22 could potentially allow a maliciously crafted stemcell to execute arbitrary code on VMs created by the director, aka a "CPI code injection vulnerability."
local
low complexity
cloudfoundry CWE-94
8.8