Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cloudfoundryCloud FoundryCFOUNDRY:FA4AC349AA696EDF5523469896D1135F
HistoryMay 01, 2017 - 12:00 a.m.

CVE-2017-4974: Blind SQL Injection with privileged UAA endpoints | Cloud Foundry

2017-05-0100:00:00
Cloud Foundry
www.cloudfoundry.org
28

CVSS2

4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

33.3%

JSON

Severity

High

Vendor

Cloud Foundry Foundation

Versions Affected

  • cf-release versions prior to v258
  • UAA release:
    • 2.x versions prior to v2.7.4.15
    • 3.6.x versions prior to v3.6.9
    • 3.9.x versions prior to v3.9.11
    • Other versions prior to v3.16.0
  • UAA bosh release (uaa-release):
    • 13.x versions prior to v13.13
    • 24.x versions prior to v24.8
    • Other versions prior to v30.1

Description

An authorized user can use a blind SQL injection attack to query the contents of the UAA database.

Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

  • Upgrade to Cloud Foundry v258 [1] or later
  • For standalone UAA users:
    • For users using UAA Version 3.0.0 – 3.14.0, please upgrade to UAA Release to v3.16.0 [2] or v3.9.11 [3] or v3.6.9 [4]
    • For users using standalone UAA Version 2.X.X, please upgrade to UAA Release to v2.7.4.15 [5]
    • For users using UAA-Release (UAA bosh release), please upgrade to UAA-Release v30.1 [6] if upgrading to v3.16.0 [2] or v24.8 [7] if upgrading to v3.9.11 [3] and v13.13 [8] if upgrading to v3.6.9 [4]

References

History

2017-05-01: Initial vulnerability report published

Related

cvelist 1
veracode 1
github 1
nvd 1
prion 1
cve 1
osv 2
cvelist
cvelist
CVE-2017-4974
2017-06-13 06:00:00
veracode
veracode
Blind SQL Injection
2017-05-02 02:56:40
github
github
Blind SQL Injection with privileged Cloud Foundry UAA endpoints
2022-05-13 01:07:26
nvd
nvd
CVE-2017-4974
2017-06-13 06:29:00
prion
prion
Sql injection
2017-06-13 06:29:00
cve
cve
CVE-2017-4974
2017-06-13 06:29:00
osv
osv
CVE-2017-4974
2017-06-13 06:29:00
Blind SQL Injection with privileged Cloud Foundry UAA endpoints
2022-05-13 01:07:26

CVSS2

4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

33.3%

JSON
Related for CFOUNDRY:FA4AC349AA696EDF5523469896D1135F
cvelist1veracode1github1nvd1prion1cve1osv2