Lucene search

[email protected]CVE-2016-0781

HistoryMay 25, 2017 - 5:29 p.m.

CVE-2016-0781

2017-05-2517:29:00

CWE-79

[email protected]

web.nvd.nist.gov

cve-2016-0781

cloud foundry

uaa

xss

oauth

security vulnerability

nvd

pivotal elastic runtime

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

38.4%

JSON

The UAA OAuth approval pages in Cloud Foundry v208 to v231, Login-server v1.6 to v1.14, UAA v2.0.0 to v2.7.4.1, UAA v3.0.0 to v3.2.0, UAA-Release v2 to v7 and Pivotal Elastic Runtime 1.6.x versions prior to 1.6.20 are vulnerable to an XSS attack by specifying malicious java script content in either the OAuth scopes (SCIM groups) or SCIM group descriptions.

Affected configurations

NVD

Node

cloudfoundrycloud_foundry_uaa_boshMatch2

cloudfoundrycloud_foundry_uaa_boshMatch3

cloudfoundrycloud_foundry_uaa_boshMatch4

cloudfoundrycloud_foundry_uaa_boshMatch5

cloudfoundrycloud_foundry_uaa_boshMatch6

cloudfoundrycloud_foundry_uaa_boshMatch7

pivotal_softwarecloud_foundryMatch208

pivotal_softwarecloud_foundryMatch209

pivotal_softwarecloud_foundryMatch210

pivotal_softwarecloud_foundryMatch211

pivotal_softwarecloud_foundryMatch212

pivotal_softwarecloud_foundryMatch213

pivotal_softwarecloud_foundryMatch214

pivotal_softwarecloud_foundryMatch215

pivotal_softwarecloud_foundryMatch216

pivotal_softwarecloud_foundryMatch217

pivotal_softwarecloud_foundryMatch218

pivotal_softwarecloud_foundryMatch219

pivotal_softwarecloud_foundryMatch220

pivotal_softwarecloud_foundryMatch221

pivotal_softwarecloud_foundryMatch222

pivotal_softwarecloud_foundryMatch223

pivotal_softwarecloud_foundryMatch224

pivotal_softwarecloud_foundryMatch225

pivotal_softwarecloud_foundryMatch226

pivotal_softwarecloud_foundryMatch227

pivotal_softwarecloud_foundryMatch228

pivotal_softwarecloud_foundryMatch229

pivotal_softwarecloud_foundryMatch230

pivotal_softwarecloud_foundryMatch231

pivotal_softwarecloud_foundryMatch241

pivotal_softwarecloud_foundry_elastic_runtimeMatch1.6.0

pivotal_softwarecloud_foundry_elastic_runtimeMatch1.6.1

pivotal_softwarecloud_foundry_elastic_runtimeMatch1.6.2

pivotal_softwarecloud_foundry_elastic_runtimeMatch1.6.3

pivotal_softwarecloud_foundry_elastic_runtimeMatch1.6.4

pivotal_softwarecloud_foundry_elastic_runtimeMatch1.6.5

pivotal_softwarecloud_foundry_elastic_runtimeMatch1.6.6

pivotal_softwarecloud_foundry_elastic_runtimeMatch1.6.7

pivotal_softwarecloud_foundry_elastic_runtimeMatch1.6.8

pivotal_softwarecloud_foundry_elastic_runtimeMatch1.6.9

pivotal_softwarecloud_foundry_elastic_runtimeMatch1.6.10

pivotal_softwarecloud_foundry_elastic_runtimeMatch1.6.11

pivotal_softwarecloud_foundry_elastic_runtimeMatch1.6.12

pivotal_softwarecloud_foundry_elastic_runtimeMatch1.6.13

pivotal_softwarecloud_foundry_elastic_runtimeMatch1.6.14

pivotal_softwarecloud_foundry_elastic_runtimeMatch1.6.15

pivotal_softwarecloud_foundry_elastic_runtimeMatch1.6.16

pivotal_softwarecloud_foundry_elastic_runtimeMatch1.6.17

pivotal_softwarecloud_foundry_elastic_runtimeMatch1.6.18

pivotal_softwarecloud_foundry_elastic_runtimeMatch1.6.19

pivotal_softwarecloud_foundry_uaaRange≤2.7.4.1

pivotal_softwarecloud_foundry_uaaMatch3.0.0

pivotal_softwarecloud_foundry_uaaMatch3.0.1

pivotal_softwarecloud_foundry_uaaMatch3.1.0

pivotal_softwarecloud_foundry_uaaMatch3.2.0

pivotal_softwarelogin-serverMatch-

CPENameOperatorVersion
cloudfoundry:cloud_foundry_uaa_boshcloudfoundry cloud foundry uaa bosheq2
cloudfoundry:cloud_foundry_uaa_boshcloudfoundry cloud foundry uaa bosheq3
cloudfoundry:cloud_foundry_uaa_boshcloudfoundry cloud foundry uaa bosheq4
cloudfoundry:cloud_foundry_uaa_boshcloudfoundry cloud foundry uaa bosheq5
cloudfoundry:cloud_foundry_uaa_boshcloudfoundry cloud foundry uaa bosheq6
cloudfoundry:cloud_foundry_uaa_boshcloudfoundry cloud foundry uaa bosheq7
pivotal_software:cloud_foundrypivotal software cloud foundryeq208
pivotal_software:cloud_foundrypivotal software cloud foundryeq209
pivotal_software:cloud_foundrypivotal software cloud foundryeq210
pivotal_software:cloud_foundrypivotal software cloud foundryeq211

CPE	Name	Operator	Version
cloudfoundry:cloud_foundry_uaa_bosh	cloudfoundry cloud foundry uaa bosh	eq	2
cloudfoundry:cloud_foundry_uaa_bosh	cloudfoundry cloud foundry uaa bosh	eq	3
cloudfoundry:cloud_foundry_uaa_bosh	cloudfoundry cloud foundry uaa bosh	eq	4
cloudfoundry:cloud_foundry_uaa_bosh	cloudfoundry cloud foundry uaa bosh	eq	5
cloudfoundry:cloud_foundry_uaa_bosh	cloudfoundry cloud foundry uaa bosh	eq	6
cloudfoundry:cloud_foundry_uaa_bosh	cloudfoundry cloud foundry uaa bosh	eq	7
pivotal_software:cloud_foundry	pivotal software cloud foundry	eq	208
pivotal_software:cloud_foundry	pivotal software cloud foundry	eq	209
pivotal_software:cloud_foundry	pivotal software cloud foundry	eq	210
pivotal_software:cloud_foundry	pivotal software cloud foundry	eq	211

Rows per page:

1-10 of 571

CNA Affected

[
  {
    "product": "Cloud Foundry",
    "vendor": "Pivotal",
    "versions": [
      {
        "status": "affected",
        "version": "v208 to v231"
      },
      {
        "status": "affected",
        "version": "Login-server v1.6 to v1.14"
      },
      {
        "status": "affected",
        "version": "UAA v2.0.0 to v2.7.4.1"
      },
      {
        "status": "affected",
        "version": "UAA v3.0.0 to v3.2.0"
      },
      {
        "status": "affected",
        "version": "UAA-Release v2 to v7"
      },
      {
        "status": "affected",
        "version": "Elastic Runtime 1.6.x versions prior to 1.6.20"
      }
    ]
  }
]

References

pivotal.io/security/cve-2016-0781

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

38.4%

JSON

Related for CVE-2016-0781

prion1 nvd1 osv1 cvelist1