Lucene search

GitHub Advisory DatabaseGHSA-RC2R-W8JV-VGGP

HistoryMay 14, 2022 - 1:30 a.m.

Cloud Foundry vulnerable to Improper Certificate Validation

2022-05-1401:30:57

CWE-295

GitHub Advisory Database

github.com

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

6.9 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

66.4%

JSON

Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 12.2 and earlier, PCF (aka Pivotal Cloud Foundry) Elastic Runtime 1.6.x before 1.6.35, and PCF Elastic Runtime 1.7.x before 1.7.13 does not validate if a certificate is expired.

Affected configurations

Vulners

Node

wso2identity_serverRange<3.4.2

wso2identity_serverRange<3.3.0.3

CPENameOperatorVersion
org.cloudfoundry.identity:cloudfoundry-identity-serverlt3.4.2
org.cloudfoundry.identity:cloudfoundry-identity-serverlt3.3.0.3

CPE	Name	Operator	Version
	org.cloudfoundry.identity:cloudfoundry-identity-server	lt	3.4.2
	org.cloudfoundry.identity:cloudfoundry-identity-server	lt	3.3.0.3

References

github.com/advisories/GHSA-rc2r-w8jv-vggp

github.com/cloudfoundry/cf-release/releases/tag/v240

github.com/cloudfoundry/uaa-release/releases/tag/v11.3

github.com/cloudfoundry/uaa-release/releases/tag/v12.3

github.com/cloudfoundry/uaa/commit/0a78612f981c541ad2d997e6a365f2a0b3e799d9

github.com/cloudfoundry/uaa/commit/bc91ccd2029e8f1cea0c647f0c9aad4585f7a2c

github.com/cloudfoundry/uaa/commit/f97049df1c6c03effda5049c41704ac831ff3925

github.com/cloudfoundry/uaa/releases/tag/2.7.4.6

github.com/cloudfoundry/uaa/releases/tag/3.3.0.3

github.com/cloudfoundry/uaa/releases/tag/3.4.2

nvd.nist.gov/vuln/detail/CVE-2016-5016

pivotal.io/security/cve-2016-5016

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

6.9 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

66.4%

JSON

Related for GHSA-RC2R-W8JV-VGGP