Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Cf\-Release
(Cloudfoundry)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 35 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2017-05-25 | CVE-2015-1834 | A path traversal vulnerability was identified in the Cloud Foundry component Cloud Controller that affects cf-release versions prior to v208 and Pivotal Cloud Foundry Elastic Runtime versions prior to 1.4.2. Path traversal is the 'outbreak' of a given directory structure through relative file paths in the user input. It aims at accessing files and directories that are stored outside the web root folder, for disallowed reading or even executing arbitrary system commands. An attacker could use... | Cf\-Release, Cloud_foundry_elastic_runtime | 6.5 | ||
| 2017-05-25 | CVE-2015-3189 | With Cloud Foundry Runtime cf-release versions v208 or earlier, UAA Standalone versions 2.2.5 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier, old Password Reset Links are not expired after the user changes their current email address to a new one. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected. | Cf\-Release, Cloud_foundry_elastic_runtime, Cloud_foundry_uaa | 3.7 | ||
| 2017-05-25 | CVE-2015-3190 | With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA Standalone versions 2.2.6 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier the UAA logout link is susceptible to an open redirect which allows an attacker to insert malicious web page as a redirect parameter. | Cf\-Release, Cloud_foundry_elastic_runtime, Cloud_foundry_uaa | 6.1 | ||
| 2017-05-25 | CVE-2015-3191 | With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA Standalone versions 2.2.6 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier the change_email form in UAA is vulnerable to a CSRF attack. This allows an attacker to trigger an e-mail change for a user logged into a cloud foundry instance via a malicious link on a attacker controlled site. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for... | Cf\-Release, Cloud_foundry_elastic_runtime, Cloud_foundry_uaa | 8.8 | ||
| 2017-05-25 | CVE-2016-0780 | It was discovered that cf-release v231 and lower, Pivotal Cloud Foundry Elastic Runtime 1.5.x versions prior to 1.5.17 and Pivotal Cloud Foundry Elastic Runtime 1.6.x versions prior to 1.6.18 do not properly enforce disk quotas in certain cases. An attacker could use an improper disk quota value to bypass enforcement and consume all the disk on DEAs/CELLs causing a potential denial of service for other applications. | Cf\-Release, Cloud_foundry_elastic_runtime | 7.5 | ||
| 2017-05-25 | CVE-2016-2165 | The Loggregator Traffic Controller endpoints in cf-release v231 and lower, Pivotal Elastic Runtime versions prior to 1.5.19 AND 1.6.x versions prior to 1.6.20 are not cleansing request URL paths when they are invalid and are returning them in the 404 response. This could allow malicious scripts to be written directly into the 404 response. | Cf\-Release, Cloud_foundry_elastic_runtime | 6.5 | ||
| 2017-10-24 | CVE-2015-5170 | Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow remote attackers to conduct cross-site request forgery (CSRF) attacks on PWS and log a user into an arbitrary account by leveraging lack of CSRF checks. | Cf\-Release, Cloud_foundry_elastic_runtime, Cloud_foundry_uaa | 8.8 | ||
| 2017-10-24 | CVE-2015-5171 | The password change functionality in Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire existing sessions. | Cf\-Release, Cloud_foundry_elastic_runtime, Cloud_foundry_uaa | 9.8 | ||
| 2017-10-24 | CVE-2015-5172 | Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire password reset links. | Cf\-Release, Cloud_foundry_elastic_runtime, Cloud_foundry_uaa | 9.8 | ||
| 2017-10-24 | CVE-2015-5173 | Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact via vectors involving emails with password recovery links, aka "Cross Domain Referer Leakage." | Cf\-Release, Cloud_foundry_elastic_runtime, Cloud_foundry_uaa | 8.8 |