Cloud Foundry UAA password reset vulnerability

An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v260; UAA release 2.x versions prior to v2.7.4.16, 3.6.x versions prior to v3.6.10, 3.9.x versions prior to v3.9.12, and other versions prior to v3.17.0; and UAA bosh release uaa-release 13.x versions prior to v13.14...

GHSA-CGRG-X34R-78F3 Cloud Foundry UAA password reset vulnerability

An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v260; UAA release 2.x versions prior to v2.7.4.16, 3.6.x versions prior to v3.6.10, 3.9.x versions prior to v3.9.12, and other versions prior to v3.17.0; and UAA bosh release uaa-release 13.x versions prior to v13.14...

Cloud Foundry Runtime has Weak Password Recovery Mechanism for Forgotten Password

Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry PCF Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire password reset links...

Cloud Foundry Arbitrary Code Execution Vulnerability

Pivotal Software Cloud Foundry is an open source Platform-as-a-Service PaaS cloud computing platform from Pivotal Software that provides container scheduling, continuous delivery, and automated service deployment. capi-release and cf-release are both Cloud Foundry releases. A security vulnerabili...

CVE-2016-2169

Cloud Foundry CVE-2016-2169 affects Cloud Foundry Cloud Controller: capi-release versions before 1.0.0 and cf-release versions before v237. The issue is a business-logic flaw where an application could create a route that conflicts with a platform service route, causing traffic intended for the s...

Design/Logic Flaw

Applications in cf-release before 245 can be configured and pushed with a user-provided custom buildpack using a URL pointing to the buildpack. Although it is not recommended, a user can specify a credential in the URL basic auth or OAuth to access the buildpack through the CLI. For example, the...

CVE-2016-6658

Applications in cf-release before 245 can be configured and pushed with a user-provided custom buildpack using a URL pointing to the buildpack. Although it is not recommended, a user can specify a credential in the URL basic auth or OAuth to access the buildpack through the CLI. For example, the...

CVE-2016-6658

Applications in cf-release before 245 can be configured and pushed with a user-provided custom buildpack using a URL pointing to the buildpack. Although it is not recommended, a user can specify a credential in the URL basic auth or OAuth to access the buildpack through the CLI. For example, the...

CVE-2016-6658

CVE-2016-6658 affects cf-release before 245. It allows configuring and pushing with a user-provided buildpack URL that may include credentials (basic auth or OAuth) to access a private buildpack. The buildpack URL is stored unencrypted, so an operator with privileged Cloud Controller DB access co...

Improper access control

In Cloud Controller versions prior to 1.46.0, cf-deployment versions prior to 1.3.0, and cf-release versions prior to 283, Cloud Controller accepts refresh tokens for authentication where access tokens are expected. This exposes a vulnerability where a refresh token that would otherwise be...

Pivotal Cloud Foundry Runtime cf-release, UAA and UAA bosh cross-site scripting vulnerabilities

Pivotal Cloud Foundry PCF Runtime cf-release and others are products of Pivotal Software, Inc. of the United States. pCF is an open source Platform-as-a-Service PaaS cloud computing platform that provides container scheduling, continuous delivery, and automated service deployment, among other...

CVE-2017-14389

An issue was discovered in Cloud Foundry Foundation capi-release all versions prior to 1.45.0, cf-release all versions prior to v280, and cf-deployment all versions prior to v1.0.0. The Cloud Controller does not prevent space developers from creating subdomains to an already existing route that...

Code injection

An issue was discovered in Cloud Foundry Foundation capi-release all versions prior to 1.45.0, cf-release all versions prior to v280, and cf-deployment all versions prior to v1.0.0. The Cloud Controller does not prevent space developers from creating subdomains to an already existing route that...

CVE-2017-14389

An issue was discovered in Cloud Foundry Foundation capi-release all versions prior to 1.45.0, cf-release all versions prior to v280, and cf-deployment all versions prior to v1.0.0. The Cloud Controller does not prevent space developers from creating subdomains to an already existing route that...

CVE-2017-14389

CVE-2017-14389 affects Cloud Foundry Foundation components capi-release (all versions < 1.45.0), cf-release (all versions < v280), and cf-deployment (all versions

CVE-2015-5170

CVE-2015-5170 affects Cloud Foundry components (cf-release before 216, UAA before 2.5.2, PCF Elastic Runtime before 1.7.0) and enables remote CSRF attacks on PWS by exploiting missing CSRF checks, potentially allowing an attacker to log a user into an arbitrary account. The connected records corr...

CVE-2015-5173

CVE-2015-5173 corresponds to a Cloud Foundry security issue described in connected advisories as a weak password recovery/expired reset mechanism affecting cf-release <216, UAA <2.5.2, and PCF Elastic Runtime

CVE-2015-5171

Ø CVE-2015-5171 affects Cloud Foundry components (cf-release <216, UAA <2.5.2, PCF Elastic Runtime

CVE-2017-8047

In Cloud Foundry router routing-release all versions prior to v0.163.0 and cf-release all versions prior to v274, in some applications, it is possible to append a combination of characters to the URL that will allow for an open redirect. An attacker could exploit this as a phishing attack to gain...

CVE-2017-8048

In Cloud Foundry capi-release versions 1.33.0 and later, prior to 1.42.0 and cf-release versions 268 and later, prior to 274, the original fix for CVE-2017-8033 introduces an API regression that allows a space developer to execute arbitrary code on the Cloud Controller VM by pushing a specially...