CPE Details
Pivotal Software Cloud Foundry uaa-release 2 for BOSH
2
2019-07-15
13h35 +00:00
13h35 +00:00
2021-04-26
13h32 +00:00
13h32 +00:00
Alerte pour un CPE
Restez informé de toutes modifications pour un CPE spécifique.
CPE Name: cpe:2.3:a:pivotal_software:cloud_foundry_uaa-release:2:*:*:*:*:bosh:*:*
Informations
Vendor
pivotal_softwareProduct
cloud_foundry_uaa-releaseVersion
2Target Software
boshRelated CVE
| CVE ID | Publié | Description | Score | Gravité |
|---|---|---|---|---|
| Cloud Foundry UAA version prior to 73.3.0, contain endpoints that contains improper escaping. An authenticated malicious user with basic read privileges for one identity zone can extend those reading privileges to all other identity zones and obtain private information on users, clients, and groups in all other identity zones. | 4.3 |
Moyen |
||
| Cloud Foundry UAA, versions prior to 73.0.0, falls back to appending “unknown.org” to a user's email address when one is not provided and the user name does not contain an @ character. This domain is held by a private company, which leads to attack vectors including password recovery emails sent to a potentially fraudulent address. This would allow the attacker to gain complete control of the user's account. | 8.8 |
Haute |
||
| An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone release v2.0.0 - v2.7.4.12 & v3.0.0 - v3.11.0, and UAA bosh release v26 & earlier versions. UAA is vulnerable to session fixation when configured to authenticate against external SAML or OpenID Connect based identity providers. | 8.1 |
Haute |
||
| Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 12.2 and earlier, PCF (aka Pivotal Cloud Foundry) Elastic Runtime 1.6.x before 1.6.35, and PCF Elastic Runtime 1.7.x before 1.7.13 does not validate if a certificate is expired. | 5.9 |
Moyen |
