Vulnerabilities > Pivotal Software
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2016-09-30 | CVE-2016-6636 | Open Redirect vulnerability in multiple products The OAuth authorization implementation in Pivotal Cloud Foundry (PCF) before 242; UAA 2.x before 2.7.4.7, 3.x before 3.3.0.5, and 3.4.x before 3.4.4; UAA BOSH before 11.5 and 12.x before 12.5; Elastic Runtime before 1.6.40, 1.7.x before 1.7.21, and 1.8.x before 1.8.1; and Ops Manager 1.7.x before 1.7.13 and 1.8.x before 1.8.1 mishandles redirect_uri subdomains, which allows remote attackers to obtain implicit access tokens via a modified subdomain. | 5.0 |
| 2016-09-18 | CVE-2016-0929 | Information Exposure vulnerability in Pivotal Software Rabbitmq The metrics-collection component in RabbitMQ for Pivotal Cloud Foundry (PCF) 1.6.x before 1.6.4 logs command lines of failed commands, which might allow context-dependent attackers to obtain sensitive information by reading the log data, as demonstrated by a syslog message that contains credentials from a command line. | 5.0 |
| 2016-09-18 | CVE-2016-0927 | Cross-site Scripting vulnerability in Pivotal Software Cloud Foundry Elastic Runtime Cross-site scripting (XSS) vulnerability in Pivotal Cloud Foundry (PCF) Ops Manager before 1.6.17 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
| 2016-09-18 | CVE-2016-0926 | Cross-site Scripting vulnerability in Pivotal Software Cloud Foundry Elastic Runtime Cross-site scripting (XSS) vulnerability in Apps Manager in Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.32 and 1.7.x before 1.7.8 allows remote attackers to inject arbitrary web script or HTML via unspecified input that improperly interacts with the AngularJS framework. | 4.3 |
| 2016-09-18 | CVE-2016-0897 | Cryptographic Issues vulnerability in Pivotal Software Operations Manager Pivotal Cloud Foundry (PCF) Ops Manager before 1.6.17 and 1.7.x before 1.7.8, when vCloud or vSphere is used, does not properly enable SSH access for operators, which has unspecified impact and remote attack vectors. | 7.5 |
| 2016-09-18 | CVE-2016-0896 | 7PK - Security Features vulnerability in Pivotal Software Cloud Foundry Elastic Runtime Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.34 and 1.7.x before 1.7.12 places 169.254.0.0/16 in the all_open Application Security Group, which might allow remote attackers to bypass intended network-connectivity restrictions by leveraging access to the 169.254.169.254 address. | 7.5 |
| 2016-09-18 | CVE-2016-0883 | Improper Authentication vulnerability in Pivotal Software Operations Manager Pivotal Cloud Foundry (PCF) Ops Manager before 1.5.14 and 1.6.x before 1.6.9 uses the same cookie-encryption key across different customers' installations, which allows remote attackers to bypass session authentication by leveraging knowledge of this key from another installation. | 5.0 |
| 2016-07-12 | CVE-2015-3192 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file. | 4.3 |
| 2015-03-10 | CVE-2015-0201 | 7PK - Security Features vulnerability in multiple products The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors. | 5.0 |
| 2015-02-19 | CVE-2014-3578 | Path Traversal vulnerability in Pivotal Software Spring Framework Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL. | 5.0 |