Cloud Foundry Elastic Runtime@* Security Vulnerabilities and Issues — Cloud Foundry Elastic Runtime@* CVE List

Lucene search

Pivotal SoftwareCloud Foundry Elastic Runtime*

16 matches found

CVE•added 2017/04/24 7:59 p.m.•46 views

CVE-2016-5016

Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 12.2 and earlier, PCF (aka Pivotal Cloud Foundry) Elastic Runtime 1.6.x before 1.6.35, and PCF Elastic Runtime 1.7.x before 1.7.13 does not validate if a certificate is expired.

5.9CVSS5.7AI score0.00278EPSS

CVE•added 2017/05/25 5:29 p.m.•40 views

CVE-2016-2165

The Loggregator Traffic Controller endpoints in cf-release v231 and lower, Pivotal Elastic Runtime versions prior to 1.5.19 AND 1.6.x versions prior to 1.6.20 are not cleansing request URL paths when they are invalid and are returning them in the 404 response. This could allow malicious scripts to ...

6.5CVSS6.3AI score0.00255EPSS

CVE•added 2017/05/25 5:29 p.m.•39 views

CVE-2015-3189

With Cloud Foundry Runtime cf-release versions v208 or earlier, UAA Standalone versions 2.2.5 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier, old Password Reset Links are not expired after the user changes their current email address to a new one. This vulnerability is applicable onl...

4.3CVSS4.2AI score0.00178EPSS

CVE•added 2017/05/25 5:29 p.m.•38 views

CVE-2015-1834

A path traversal vulnerability was identified in the Cloud Foundry component Cloud Controller that affects cf-release versions prior to v208 and Pivotal Cloud Foundry Elastic Runtime versions prior to 1.4.2. Path traversal is the 'outbreak' of a given directory structure through relative file paths...

6.5CVSS6.3AI score0.00295EPSS

CVE•added 2017/10/24 5:29 p.m.•38 views

CVE-2015-5173

Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact via vectors involving emails with password recovery links, aka "Cross Domain Referer Leakage."

8.8CVSS9.2AI score0.00484EPSS

CVE•added 2017/05/25 5:29 p.m.•37 views

CVE-2015-3191

With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA Standalone versions 2.2.6 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier the change_email form in UAA is vulnerable to a CSRF attack. This allows an attacker to trigger an e-mail change for a user logged into a cloud...

8.8CVSS8.5AI score0.00119EPSS

CVE•added 2017/10/24 5:29 p.m.•37 views

CVE-2015-5170

Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow remote attackers to conduct cross-site request forgery (CSRF) attacks on PWS and log a user into an arbitrary account by leveraging lack of CSRF checks.

8.8CVSS9.1AI score0.00306EPSS

CVE•added 2017/05/02 2:59 p.m.•37 views

CVE-2016-5006

The Cloud Controller in Cloud Foundry before 239 logs user-provided service objects at creation, which allows attackers to obtain sensitive user credential information via unspecified vectors.

9.8CVSS9AI score0.00328EPSS

CVE•added 2017/05/25 5:29 p.m.•36 views

CVE-2015-3190

With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA Standalone versions 2.2.6 or earlier and Pivotal Cloud Foundry Runtime 1.4.5 or earlier the UAA logout link is susceptible to an open redirect which allows an attacker to insert malicious web page as a redirect parameter.

6.1CVSS6.1AI score0.00197EPSS

CVE•added 2017/10/24 5:29 p.m.•36 views

CVE-2015-5171

The password change functionality in Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire existing sessions.

9.8CVSS9.7AI score0.00486EPSS

CVE•added 2017/10/24 5:29 p.m.•35 views

CVE-2015-5172

Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire password reset links.

9.8CVSS9.8AI score0.00398EPSS

CVE•added 2017/05/25 5:29 p.m.•35 views

CVE-2016-3084

The UAA reset password flow in Cloud Foundry release v236 and earlier versions, UAA release v3.3.0 and earlier versions, all versions of Login-server, UAA release v10 and earlier versions and Pivotal Elastic Runtime versions prior to 1.7.2 is vulnerable to a brute force attack due to multiple activ...

8.1CVSS8AI score0.00338EPSS

CVE•added 2016/09/18 2:59 a.m.•34 views

CVE-2016-0926

Cross-site scripting (XSS) vulnerability in Apps Manager in Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.32 and 1.7.x before 1.7.8 allows remote attackers to inject arbitrary web script or HTML via unspecified input that improperly interacts with the AngularJS framework.

6.1CVSS6AI score0.00315EPSS

CVE•added 2018/03/29 10:29 p.m.•34 views

CVE-2016-6658

Applications in cf-release before 245 can be configured and pushed with a user-provided custom buildpack using a URL pointing to the buildpack. Although it is not recommended, a user can specify a credential in the URL (basic auth or OAuth) to access the buildpack through the CLI. For example, the ...

9.6CVSS9.2AI score0.0031EPSS

CVE•added 2018/09/11 5:29 p.m.•33 views

CVE-2016-0715

Pivotal Cloud Foundry Elastic Runtime version 1.4.0 through 1.4.5, 1.5.0 through 1.5.11 and 1.6.0 through 1.6.11 is vulnerable to a remote information disclosure. It was found that original mitigation configuration instructions provided as part of CVE-2016-0708 were incomplete and could leave PHP B...

5.9CVSS5.5AI score0.00216EPSS

CVE•added 2016/09/18 2:59 a.m.•28 views

CVE-2016-0896

Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.34 and 1.7.x before 1.7.12 places 169.254.0.0/16 in the all_open Application Security Group, which might allow remote attackers to bypass intended network-connectivity restrictions by leveraging access to the 169.254.169.254 address.

7.5CVSS7.2AI score0.0014EPSS