Lucene search

[email protected]CVE-2016-3084

HistoryMay 25, 2017 - 5:29 p.m.

CVE-2016-3084

2017-05-2517:29:00

CWE-264

[email protected]

web.nvd.nist.gov

uaa

reset password

cloud foundry

vulnerability

brute force

attack

security

cve-2016-3084

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

8 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

61.3%

JSON

The UAA reset password flow in Cloud Foundry release v236 and earlier versions, UAA release v3.3.0 and earlier versions, all versions of Login-server, UAA release v10 and earlier versions and Pivotal Elastic Runtime versions prior to 1.7.2 is vulnerable to a brute force attack due to multiple active codes at a given time. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected.

Affected configurations

NVD

Node

cloudfoundrycloud_foundry_uaa_boshRange≤10

pivotal_softwarecloud_foundryRange≤236

pivotal_softwarecloud_foundry_elastic_runtimeRange≤1.7.1

pivotal_softwarecloud_foundry_uaaRange≤3.3.0

pivotal_softwarelogin-serverMatch-

CPENameOperatorVersion
cloudfoundry:cloud_foundry_uaa_boshcloudfoundry cloud foundry uaa boshle10
pivotal_software:cloud_foundrypivotal software cloud foundryle236
pivotal_software:cloud_foundry_elastic_runtimepivotal software cloud foundry elastic runtimele1.7.1
pivotal_software:cloud_foundry_uaapivotal software cloud foundry uaale3.3.0
pivotal_software:login-serverpivotal software login-servereq-

CPE	Name	Operator	Version
cloudfoundry:cloud_foundry_uaa_bosh	cloudfoundry cloud foundry uaa bosh	le	10
pivotal_software:cloud_foundry	pivotal software cloud foundry	le	236
pivotal_software:cloud_foundry_elastic_runtime	pivotal software cloud foundry elastic runtime	le	1.7.1
pivotal_software:cloud_foundry_uaa	pivotal software cloud foundry uaa	le	3.3.0
pivotal_software:login-server	pivotal software login-server	eq	-

CNA Affected

[
  {
    "product": "Cloud Foundry",
    "vendor": "Pivotal",
    "versions": [
      {
        "status": "affected",
        "version": "release v236 and earlier versions"
      },
      {
        "status": "affected",
        "version": "UAA release v3.3.0 and earlier versions"
      },
      {
        "status": "affected",
        "version": "All versions of Login-server"
      },
      {
        "status": "affected",
        "version": "UAA release v10 and earlier versions"
      },
      {
        "status": "affected",
        "version": "Elastic Runtime versions prior to 1.7.2"
      }
    ]
  }
]

References

pivotal.io/security/cve-2016-3084

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

8 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

61.3%

JSON

Related for CVE-2016-3084

cloudfoundry1 osv2 cvelist1 nvd1 prion1 github1