Vulnerabilities > Pivotal Software

DATE CVE VULNERABILITY TITLE RISK
2018-03-29 CVE-2016-6658 Information Exposure vulnerability in multiple products
Applications in cf-release before 245 can be configured and pushed with a user-provided custom buildpack using a URL pointing to the buildpack.
network
low complexity
cloudfoundry pivotal-software CWE-200
critical
9.6
2018-03-27 CVE-2018-1231 Incorrect Permission Assignment for Critical Resource vulnerability in Pivotal Software Bosh CLI
Cloud Foundry BOSH CLI, versions prior to v3.0.1, contains an improper access control vulnerability.
network
low complexity
pivotal-software CWE-732
8.8
2018-03-21 CVE-2018-1230 Cross-Site Request Forgery (CSRF) vulnerability in Pivotal Software Spring Batch Admin
Pivotal Spring Batch Admin, all versions, does not contain cross site request forgery protection.
network
low complexity
pivotal-software CWE-352
8.8
2018-03-21 CVE-2018-1229 Cross-site Scripting vulnerability in Pivotal Software Spring Batch Admin
Pivotal Spring Batch Admin, all versions, contains a stored XSS vulnerability in the file upload feature.
network
low complexity
pivotal-software CWE-79
6.1
2018-03-19 CVE-2018-1197 Incorrect Permission Assignment for Critical Resource vulnerability in Pivotal Software Windows Stemcells
In Windows Stemcells versions prior to 1200.14, apps running inside containers in Windows on Google Cloud Platform are able to access the metadata endpoint.
network
high complexity
pivotal-software CWE-732
8.5
2018-03-16 CVE-2018-1200 Information Exposure vulnerability in Pivotal Software Pivotal Application Service
Apps Manager for PCF (Pivotal Application Service 1.11.x before 1.11.26, 1.12.x before 1.12.14, and 2.0.x before 2.0.5) allows unprivileged remote file read in its container via specially-crafted links.
network
low complexity
pivotal-software CWE-200
6.5
2018-03-16 CVE-2016-9880 Improper Authentication vulnerability in Pivotal Software Gemfire for Pivotal Cloud Foundry 1.7.0
The GemFire broker for Cloud Foundry 1.6.x before 1.6.5 and 1.7.x before 1.7.1 has multiple API endpoints which do not require authentication and could be used to gain access to the cluster managed by the broker.
network
low complexity
pivotal-software CWE-287
critical
9.8
2018-03-13 CVE-2018-1227 Unspecified vulnerability in Pivotal Software Concourse
Pivotal Concourse after 2018-03-05 might allow remote attackers to have an unspecified impact, if a customer obtained the Concourse software from a DNS domain that is no longer controlled by Pivotal.
network
low complexity
pivotal-software
7.5
2018-02-01 CVE-2018-1192 Information Exposure vulnerability in Pivotal Software products
In Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3, the SessionID is logged in audit event logs.
network
low complexity
pivotal-software CWE-200
8.8
2018-01-04 CVE-2017-8046 Improper Input Validation vulnerability in multiple products
Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
network
low complexity
vmware pivotal-software CWE-20
critical
9.8