Vulnerabilities > Pivotal Software > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-03-29 | CVE-2016-6658 | Information Exposure vulnerability in multiple products Applications in cf-release before 245 can be configured and pushed with a user-provided custom buildpack using a URL pointing to the buildpack. | 4.0 |
| 2018-03-27 | CVE-2018-1231 | Incorrect Permission Assignment for Critical Resource vulnerability in Pivotal Software Bosh CLI Cloud Foundry BOSH CLI, versions prior to v3.0.1, contains an improper access control vulnerability. | 6.5 |
| 2018-03-21 | CVE-2018-1230 | Cross-Site Request Forgery (CSRF) vulnerability in Pivotal Software Spring Batch Admin Pivotal Spring Batch Admin, all versions, does not contain cross site request forgery protection. | 6.8 |
| 2018-03-21 | CVE-2018-1229 | Cross-site Scripting vulnerability in Pivotal Software Spring Batch Admin Pivotal Spring Batch Admin, all versions, contains a stored XSS vulnerability in the file upload feature. | 4.3 |
| 2018-03-19 | CVE-2018-1197 | Incorrect Permission Assignment for Critical Resource vulnerability in Pivotal Software Windows Stemcells In Windows Stemcells versions prior to 1200.14, apps running inside containers in Windows on Google Cloud Platform are able to access the metadata endpoint. | 6.0 |
| 2018-03-16 | CVE-2018-1200 | Information Exposure vulnerability in Pivotal Software Pivotal Application Service Apps Manager for PCF (Pivotal Application Service 1.11.x before 1.11.26, 1.12.x before 1.12.14, and 2.0.x before 2.0.5) allows unprivileged remote file read in its container via specially-crafted links. | 4.3 |
| 2018-03-13 | CVE-2018-1227 | Unspecified vulnerability in Pivotal Software Concourse Pivotal Concourse after 2018-03-05 might allow remote attackers to have an unspecified impact, if a customer obtained the Concourse software from a DNS domain that is no longer controlled by Pivotal. | 5.0 |
| 2018-02-01 | CVE-2018-1192 | Information Exposure vulnerability in Pivotal Software products In Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3, the SessionID is logged in audit event logs. | 6.5 |
| 2017-11-27 | CVE-2017-8038 | Unspecified vulnerability in Pivotal Software Credhub-Release 1.1.0 In Cloud Foundry Foundation Credhub-release version 1.1.0, access control lists (ACLs) enforce whether an authenticated user can perform an operation on a credential. | 4.0 |
| 2017-11-27 | CVE-2017-8028 | Improper Authentication vulnerability in multiple products In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. | 5.1 |