Vulnerabilities > Pivotal Software
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-03-29 | CVE-2016-6658 | Information Exposure vulnerability in multiple products Applications in cf-release before 245 can be configured and pushed with a user-provided custom buildpack using a URL pointing to the buildpack. | 4.0 |
| 2018-03-27 | CVE-2018-1231 | Incorrect Permission Assignment for Critical Resource vulnerability in Pivotal Software Bosh CLI Cloud Foundry BOSH CLI, versions prior to v3.0.1, contains an improper access control vulnerability. | 6.5 |
| 2018-03-21 | CVE-2018-1230 | Cross-Site Request Forgery (CSRF) vulnerability in Pivotal Software Spring Batch Admin Pivotal Spring Batch Admin, all versions, does not contain cross site request forgery protection. | 6.8 |
| 2018-03-21 | CVE-2018-1229 | Cross-site Scripting vulnerability in Pivotal Software Spring Batch Admin Pivotal Spring Batch Admin, all versions, contains a stored XSS vulnerability in the file upload feature. | 4.3 |
| 2018-03-19 | CVE-2018-1197 | Incorrect Permission Assignment for Critical Resource vulnerability in Pivotal Software Windows Stemcells In Windows Stemcells versions prior to 1200.14, apps running inside containers in Windows on Google Cloud Platform are able to access the metadata endpoint. | 6.0 |
| 2018-03-16 | CVE-2018-1200 | Information Exposure vulnerability in Pivotal Software Pivotal Application Service Apps Manager for PCF (Pivotal Application Service 1.11.x before 1.11.26, 1.12.x before 1.12.14, and 2.0.x before 2.0.5) allows unprivileged remote file read in its container via specially-crafted links. | 4.3 |
| 2018-03-16 | CVE-2016-9880 | Improper Authentication vulnerability in Pivotal Software Gemfire for Pivotal Cloud Foundry 1.7.0 The GemFire broker for Cloud Foundry 1.6.x before 1.6.5 and 1.7.x before 1.7.1 has multiple API endpoints which do not require authentication and could be used to gain access to the cluster managed by the broker. | 7.5 |
| 2018-03-13 | CVE-2018-1227 | Unspecified vulnerability in Pivotal Software Concourse Pivotal Concourse after 2018-03-05 might allow remote attackers to have an unspecified impact, if a customer obtained the Concourse software from a DNS domain that is no longer controlled by Pivotal. | 5.0 |
| 2018-02-01 | CVE-2018-1192 | Information Exposure vulnerability in Pivotal Software products In Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3, the SessionID is logged in audit event logs. | 6.5 |
| 2018-01-04 | CVE-2017-8046 | Improper Input Validation vulnerability in multiple products Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code. | 7.5 |