Cloud Foundry Uaa@* Security Vulnerabilities and Issues — Cloud Foundry Uaa@* CVE List

Lucene search

Pivotal SoftwareCloud Foundry Uaa*

9 matches found

CVE•added 2019/08/05 5:15 p.m.•46 views

CVE-2019-11270

Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' and create clients with arbitrary scopes that the creator does not possess.

7.5CVSS7.3AI score0.00229EPSS

CVE•added 2018/11/19 2:29 p.m.•45 views

CVE-2018-15761

Cloud Foundry UAA release, versions prior to v64.0, and UAA, versions prior to 4.23.0, contains a validation error which allows for privilege escalation. A remote authenticated user may modify the url and content of a consent page to gain a token with arbitrary scopes that escalates their privilege...

9.9CVSS8.7AI score0.0053EPSS

CVE•added 2019/10/23 4:15 p.m.•41 views

CVE-2019-11282

Cloud Foundry UAA, versions prior to v74.3.0, contains an endpoint that is vulnerable to SCIM injection attack. A remote authenticated malicious user with scim.invite scope can craft a request with malicious content which can leak information about users of the UAA.

4.3CVSS4.3AI score0.00303EPSS

CVE•added 2019/07/18 4:15 p.m.•41 views

CVE-2019-3794

Cloud Foundry UAA, versions prior to v73.4.0, does not set an X-FRAME-OPTIONS header on various endpoints. A remote user can perform clickjacking attacks on UAA's frontend sites.

6.5CVSS5.6AI score0.00306EPSS

CVE•added 2018/06/25 3:29 p.m.•39 views

CVE-2018-11041

Cloud Foundry UAA, versions later than 4.6.0 and prior to 4.19.0 except 4.10.1 and 4.7.5 and uaa-release versions later than v48 and prior to v60 except v55.1 and v52.9, does not validate redirect URL values on a form parameter used for internal UAA redirects on the login page, allowing open redire...

6.1CVSS6.2AI score0.00215EPSS

CVE•added 2017/10/24 5:29 p.m.•38 views

CVE-2015-5173

Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact via vectors involving emails with password recovery links, aka "Cross Domain Referer Leakage."

8.8CVSS9.2AI score0.00484EPSS

CVE•added 2017/10/24 5:29 p.m.•37 views

CVE-2015-5170

Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow remote attackers to conduct cross-site request forgery (CSRF) attacks on PWS and log a user into an arbitrary account by leveraging lack of CSRF checks.

8.8CVSS9.1AI score0.00306EPSS

CVE•added 2017/10/24 5:29 p.m.•36 views

CVE-2015-5171

The password change functionality in Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire existing sessions.

9.8CVSS9.7AI score0.00486EPSS

CVE•added 2017/10/24 5:29 p.m.•35 views

CVE-2015-5172

Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire password reset links.

9.8CVSS9.8AI score0.00398EPSS