The UAA reset password flow in Cloud Foundry release v236 and earlier versions, UAA release v3.3.0 and earlier versions, all versions of Login-server, UAA release v10 and earlier versions and Pivotal Elastic Runtime versions prior to 1.7.2 is vulnerable to a brute force attack due to multiple active codes at a given time. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected.
CPE | Name | Operator | Version |
---|---|---|---|
cf-release | eq | 198 | |
cf-release | eq | 91 | |
cf-release | eq | 1.5.3 | |
cf-release | eq | 112 | |
cf-release | eq | rc145.0 | |
cf-release | eq | 1.5.4.1 | |
cf-release | eq | 228 | |
cf-release | eq | 8 | |
cf-release | eq | 120 | |
cf-release | eq | 1.0.1 |