Vulnerabilities > Pivotal Software > Cloud Foundry UAA

DATE CVE VULNERABILITY TITLE RISK
2017-10-24 CVE-2015-5171 Insufficient Session Expiration vulnerability in multiple products
The password change functionality in Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire existing sessions.
network
low complexity
pivotal-software cloudfoundry CWE-613
critical
 9.8
9.8
2017-10-24 CVE-2015-5170 Cross-Site Request Forgery (CSRF) vulnerability in multiple products
Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow remote attackers to conduct cross-site request forgery (CSRF) attacks on PWS and log a user into an arbitrary account by leveraging lack of CSRF checks.
network
low complexity
pivotal-software cloudfoundry CWE-352
8.8
8.8
2017-07-10 CVE-2017-8032 Improper Privilege Management vulnerability in multiple products
In Cloud Foundry cf-release versions prior to v264; UAA release all versions of UAA v2.x.x, 3.6.x versions prior to v3.6.13, 3.9.x versions prior to v3.9.15, 3.20.x versions prior to v3.20.0, and other versions prior to v4.4.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.17, 24.x versions prior to v24.12.
network
high complexity
pivotal-software cloudfoundry CWE-269
6.6
6.6
2017-06-13 CVE-2017-4994 Improper Input Validation vulnerability in multiple products
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v263; UAA release 2.x versions prior to v2.7.4.18, 3.6.x versions prior to v3.6.12, 3.9.x versions prior to v3.9.14, and other versions prior to v4.3.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.16, 24.x versions prior to v24.11, 30.x versions prior to 30.4, and other versions prior to v40.
network
low complexity
pivotal-software cloudfoundry CWE-20
7.5
7.5
2017-06-13 CVE-2017-4992 Improper Privilege Management vulnerability in multiple products
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v261; UAA release 2.x versions prior to v2.7.4.17, 3.6.x versions prior to v3.6.11, 3.9.x versions prior to v3.9.13, and other versions prior to v4.2.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.15, 24.x versions prior to v24.10, 30.x versions prior to 30.3, and other versions prior to v37.
network
low complexity
pivotal-software cloudfoundry CWE-269
critical
 9.8
9.8
2017-06-13 CVE-2017-4991 Improper Privilege Management vulnerability in multiple products
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v260; UAA release 2.x versions prior to v2.7.4.16, 3.6.x versions prior to v3.6.10, 3.9.x versions prior to v3.9.12, and other versions prior to v3.17.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.14, 24.x versions prior to v24.9, 30.x versions prior to 30.2, and other versions prior to v36.
network
low complexity
pivotal-software cloudfoundry CWE-269
7.2
7.2
2017-06-13 CVE-2017-4974 SQL Injection vulnerability in multiple products
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v258; UAA release 2.x versions prior to v2.7.4.15, 3.6.x versions prior to v3.6.9, 3.9.x versions prior to v3.9.11, and other versions prior to v3.16.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.13, 24.x versions prior to v24.8, and other versions prior to v30.1.
network
low complexity
pivotal-software cloudfoundry CWE-89
6.5
6.5
2017-06-13 CVE-2017-4973 Improper Privilege Management vulnerability in multiple products
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v257; UAA release 2.x versions prior to v2.7.4.14, 3.6.x versions prior to v3.6.8, 3.9.x versions prior to v3.9.10, and other versions prior to v3.15.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.12, 24.x versions prior to v24.7, and other versions prior to v30.
network
low complexity
pivotal-software cloudfoundry CWE-269
8.8
8.8
2017-06-13 CVE-2017-4972 SQL Injection vulnerability in multiple products
An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v257; UAA release 2.x versions prior to v2.7.4.14, 3.6.x versions prior to v3.6.8, 3.9.x versions prior to v3.9.10, and other versions prior to v3.15.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.12, 24.x versions prior to v24.7, and other versions prior to v30.
network
low complexity
pivotal-software cloudfoundry CWE-89
7.5
7.5
2017-06-13 CVE-2017-4963 Session Fixation vulnerability in Pivotal Software Cloud Foundry UAA
An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone release v2.0.0 - v2.7.4.12 & v3.0.0 - v3.11.0, and UAA bosh release v26 & earlier versions.
network
high complexity
pivotal-software CWE-384
8.1
8.1