The UAA reset password flow in Cloud Foundry release v236 and earlier versions, UAA release v3.3.0 and earlier versions, all versions of Login-server, UAA release v10 and earlier versions and Pivotal Elastic Runtime versions prior to 1.7.2 is vulnerable to a brute force attack due to multiple active codes at a given time. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected.
CPE | Name | Operator | Version |
---|---|---|---|
cloud_foundry_uaa_bosh | le | 10 | |
cloud_foundry | le | 236 | |
cloud_foundry_elastic_runtime | le | 1.7.1 | |
cloud_foundry_uaa | le | 3.3.0 |