Vulnerabilities > Cloudfoundry

DATE CVE VULNERABILITY TITLE RISK
2017-03-10 CVE-2017-4960 An issue was discovered in Cloud Foundry release v247 through v252, UAA stand-alone release v3.9.0 through v3.11.0, and UAA Bosh Release v21 through v26.
network
low complexity
pivotal-software cloudfoundry
7.5
2017-01-13 CVE-2016-9882 Information Exposure Through Log Files vulnerability in Cloudfoundry Capi-Release and Cf-Release
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v250 and CAPI-release versions prior to v1.12.0.
network
low complexity
cloudfoundry CWE-532
7.5
2016-12-23 CVE-2016-6659 Improper Authentication vulnerability in multiple products
Cloud Foundry before 248; UAA 2.x before 2.7.4.12, 3.x before 3.6.5, and 3.7.x through 3.9.x before 3.9.3; and UAA bosh release (aka uaa-release) before 13.9 for UAA 3.6.5 and before 24 for UAA 3.9.3 allow attackers to gain privileges by accessing UAA logs and subsequently running a specially crafted application that interacts with a configured SAML provider.
network
high complexity
pivotal-software cloudfoundry CWE-287
8.1
2016-09-30 CVE-2016-6651 Permissions, Privileges, and Access Controls vulnerability in multiple products
The UAA /oauth/token endpoint in Pivotal Cloud Foundry (PCF) before 243; UAA 2.x before 2.7.4.8, 3.x before 3.3.0.6, and 3.4.x before 3.4.5; UAA BOSH before 11.7 and 12.x before 12.6; Elastic Runtime before 1.6.40, 1.7.x before 1.7.21, and 1.8.x before 1.8.2; and Ops Manager 1.7.x before 1.7.13 and 1.8.x before 1.8.1 allows remote authenticated users to gain privileges by leveraging possession of a token.
network
low complexity
pivotal-software cloudfoundry CWE-264
8.8
2016-09-30 CVE-2016-6637 Cross-Site Request Forgery (CSRF) vulnerability in multiple products
Multiple cross-site request forgery (CSRF) vulnerabilities in Pivotal Cloud Foundry (PCF) before 242; UAA 2.x before 2.7.4.7, 3.x before 3.3.0.5, and 3.4.x before 3.4.4; UAA BOSH before 11.5 and 12.x before 12.5; Elastic Runtime before 1.6.40, 1.7.x before 1.7.21, and 1.8.x before 1.8.2; and Ops Manager 1.7.x before 1.7.13 and 1.8.x before 1.8.1 allow remote attackers to hijack the authentication of unspecified victims for requests that approve or deny a scope via a profile or authorize approval page.
network
low complexity
pivotal-software cloudfoundry CWE-352
critical
9.6
2016-09-30 CVE-2016-6636 Open Redirect vulnerability in multiple products
The OAuth authorization implementation in Pivotal Cloud Foundry (PCF) before 242; UAA 2.x before 2.7.4.7, 3.x before 3.3.0.5, and 3.4.x before 3.4.4; UAA BOSH before 11.5 and 12.x before 12.5; Elastic Runtime before 1.6.40, 1.7.x before 1.7.21, and 1.8.x before 1.8.1; and Ops Manager 1.7.x before 1.7.13 and 1.8.x before 1.8.1 mishandles redirect_uri subdomains, which allows remote attackers to obtain implicit access tokens via a modified subdomain.
network
low complexity
pivotal-software cloudfoundry CWE-601
5.3
2016-09-18 CVE-2016-6639 7PK - Security Features vulnerability in multiple products
Cloud Foundry PHP Buildpack (aka php-buildpack) before 4.3.18 and PHP Buildpack Cf-release before 242, as used in Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.38 and 1.7.x before 1.7.19 and other products, place the .profile file in the htdocs directory, which might allow remote attackers to obtain sensitive information via an HTTP GET request for this file.
network
low complexity
cloudfoundry pivotal CWE-254
7.5