Search

Find a vulnerability

Search criteria

    16 vulnerabilities found for cloud_foundry_uaa-release by pivotal_software

    CVE-2019-11268 (GCVE-0-2019-11268)

    Vulnerability from nvd – Published: 2019-07-11 18:11 – Updated: 2024-09-17 03:13
    VLAI
    Title
    UAA SQL Identity Zone Vulnerability
    Summary
    Cloud Foundry UAA version prior to 73.3.0, contain endpoints that contains improper escaping. An authenticated malicious user with basic read privileges for one identity zone can extend those reading privileges to all other identity zones and obtain private information on users, clients, and groups in all other identity zones.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Cloud Foundry UAA Release (OSS) Affected: prior to v73.3.0
    Create a notification for this product.
    Date Public
    2019-06-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T22:48:09.032Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cloudfoundry.org/blog/cve-2019-11268"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "UAA Release (OSS)",
              "vendor": "Cloud Foundry",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to v73.3.0"
                }
              ]
            }
          ],
          "datePublic": "2019-06-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cloud Foundry UAA version prior to 73.3.0, contain endpoints that contains improper escaping. An authenticated malicious user with basic read privileges for one identity zone can extend those reading privileges to all other identity zones and obtain private information on users, clients, and groups in all other identity zones."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Information Exposure",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-07-11T18:11:36.000Z",
            "orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
            "shortName": "pivotal"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cloudfoundry.org/blog/cve-2019-11268"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "UAA SQL Identity Zone Vulnerability",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@pivotal.io",
              "DATE_PUBLIC": "2019-06-27T23:26:15.000Z",
              "ID": "CVE-2019-11268",
              "STATE": "PUBLIC",
              "TITLE": "UAA SQL Identity Zone Vulnerability"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "UAA Release (OSS)",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "prior to v73.3.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cloud Foundry"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cloud Foundry UAA version prior to 73.3.0, contain endpoints that contains improper escaping. An authenticated malicious user with basic read privileges for one identity zone can extend those reading privileges to all other identity zones and obtain private information on users, clients, and groups in all other identity zones."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-200: Information Exposure"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cloudfoundry.org/blog/cve-2019-11268",
                  "refsource": "CONFIRM",
                  "url": "https://www.cloudfoundry.org/blog/cve-2019-11268"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
        "assignerShortName": "pivotal",
        "cveId": "CVE-2019-11268",
        "datePublished": "2019-07-11T18:11:36.916Z",
        "dateReserved": "2019-04-18T00:00:00.000Z",
        "dateUpdated": "2024-09-17T03:13:54.242Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-3787 (GCVE-0-2019-3787)

    Vulnerability from nvd – Published: 2019-06-19 22:28 – Updated: 2024-09-16 21:57
    VLAI
    Title
    UAA defaults email address to an insecure domain
    Summary
    Cloud Foundry UAA, versions prior to 73.0.0, falls back to appending “unknown.org” to a user's email address when one is not provided and the user name does not contain an @ character. This domain is held by a private company, which leads to attack vectors including password recovery emails sent to a potentially fraudulent address. This would allow the attacker to gain complete control of the user's account.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Cloud Foundry UAA Release (OSS) Affected: All , < v73.0.0 (custom)
    Create a notification for this product.
    Date Public
    2019-05-14 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T19:19:18.288Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cloudfoundry.org/blog/cve-2019-3787"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "UAA Release (OSS)",
              "vendor": "Cloud Foundry",
              "versions": [
                {
                  "lessThan": "v73.0.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2019-05-14T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cloud Foundry UAA, versions prior to 73.0.0, falls back to appending \u201cunknown.org\u201d to a user\u0027s email address when one is not provided and the user name does not contain an @ character. This domain is held by a private company, which leads to attack vectors including password recovery emails sent to a potentially fraudulent address. This would allow the attacker to gain complete control of the user\u0027s account."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-840",
                  "description": "CWE-840: Business Logic Errors",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-06-19T22:28:07.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cloudfoundry.org/blog/cve-2019-3787"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "UAA defaults email address to an insecure domain",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secure@dell.com",
              "DATE_PUBLIC": "2019-05-14T00:00:00.000Z",
              "ID": "CVE-2019-3787",
              "STATE": "PUBLIC",
              "TITLE": "UAA defaults email address to an insecure domain"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "UAA Release (OSS)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "v73.0.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cloud Foundry"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cloud Foundry UAA, versions prior to 73.0.0, falls back to appending \u201cunknown.org\u201d to a user\u0027s email address when one is not provided and the user name does not contain an @ character. This domain is held by a private company, which leads to attack vectors including password recovery emails sent to a potentially fraudulent address. This would allow the attacker to gain complete control of the user\u0027s account."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-840: Business Logic Errors"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cloudfoundry.org/blog/cve-2019-3787",
                  "refsource": "CONFIRM",
                  "url": "https://www.cloudfoundry.org/blog/cve-2019-3787"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2019-3787",
        "datePublished": "2019-06-19T22:28:07.316Z",
        "dateReserved": "2019-01-03T00:00:00.000Z",
        "dateUpdated": "2024-09-16T21:57:57.203Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-15754 (GCVE-0-2018-15754)

    Vulnerability from nvd – Published: 2018-12-13 22:00 – Updated: 2024-09-16 17:24
    VLAI
    Title
    UAA can issue tokens across identity providers if users with matching usernames exist
    Summary
    Cloud Foundry UAA, versions 60 prior to 66.0, contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated user with access to one of these accounts may be able to obtain a token for an account of the same username in the other identity provider.
    CWE
    • Improper Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    Cloud Foundry UAA Release Affected: 60 , < 66.0 (custom)
    Create a notification for this product.
    Date Public
    2018-12-10 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:01:54.626Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "106240",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/106240"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cloudfoundry.org/blog/cve-2018-15754/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cloudfoundry.org/blog/cve-2018-15754"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "UAA Release",
              "vendor": "Cloud Foundry",
              "versions": [
                {
                  "lessThan": "66.0",
                  "status": "affected",
                  "version": "60",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2018-12-10T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cloud Foundry UAA, versions 60 prior to 66.0, contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated user with access to one of these accounts may be able to obtain a token for an account of the same username in the other identity provider."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authentication",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-12-19T21:57:01.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "name": "106240",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/106240"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cloudfoundry.org/blog/cve-2018-15754/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cloudfoundry.org/blog/cve-2018-15754"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "UAA can issue tokens across identity providers if users with matching usernames exist",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "DATE_PUBLIC": "2018-12-10T00:00:00.000Z",
              "ID": "CVE-2018-15754",
              "STATE": "PUBLIC",
              "TITLE": "UAA can issue tokens across identity providers if users with matching usernames exist"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "UAA Release",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "60",
                                "version_value": "66.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cloud Foundry"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cloud Foundry UAA, versions 60 prior to 66.0, contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated user with access to one of these accounts may be able to obtain a token for an account of the same username in the other identity provider."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper Authentication"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "106240",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/106240"
                },
                {
                  "name": "https://www.cloudfoundry.org/blog/cve-2018-15754/",
                  "refsource": "CONFIRM",
                  "url": "https://www.cloudfoundry.org/blog/cve-2018-15754/"
                },
                {
                  "name": "https://www.cloudfoundry.org/blog/cve-2018-15754",
                  "refsource": "CONFIRM",
                  "url": "https://www.cloudfoundry.org/blog/cve-2018-15754"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2018-15754",
        "datePublished": "2018-12-13T22:00:00.000Z",
        "dateReserved": "2018-08-23T00:00:00.000Z",
        "dateUpdated": "2024-09-16T17:24:01.117Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-11041 (GCVE-0-2018-11041)

    Vulnerability from nvd – Published: 2018-06-25 15:00 – Updated: 2024-09-16 23:11
    VLAI
    Summary
    Cloud Foundry UAA, versions later than 4.6.0 and prior to 4.19.0 except 4.10.1 and 4.7.5 and uaa-release versions later than v48 and prior to v60 except v55.1 and v52.9, does not validate redirect URL values on a form parameter used for internal UAA redirects on the login page, allowing open redirects. A remote attacker can craft a malicious link that, when clicked, will redirect users to arbitrary websites after a successful login attempt.
    Severity
    No CVSS data available.
    CWE
    • Open Redirect
    Assigner
    References
    Impacted products
    Vendor Product Version
    Cloud Foundry Cloud Foundry UAA Affected: later than 4.6.0 and prior to 4.19.0 except 4.10.1 and 4.7.5
    Create a notification for this product.
    Date Public
    2018-06-21 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:54:36.475Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cloudfoundry.org/blog/cve-2018-11041/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Cloud Foundry UAA",
              "vendor": "Cloud Foundry",
              "versions": [
                {
                  "status": "affected",
                  "version": "later than 4.6.0 and prior to 4.19.0 except 4.10.1 and 4.7.5"
                }
              ]
            }
          ],
          "datePublic": "2018-06-21T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cloud Foundry UAA, versions later than 4.6.0 and prior to 4.19.0 except 4.10.1 and 4.7.5 and uaa-release versions later than v48 and prior to v60 except v55.1 and v52.9, does not validate redirect URL values on a form parameter used for internal UAA redirects on the login page, allowing open redirects. A remote attacker can craft a malicious link that, when clicked, will redirect users to arbitrary websites after a successful login attempt."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Open Redirect",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-06-25T14:57:01.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cloudfoundry.org/blog/cve-2018-11041/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "DATE_PUBLIC": "2018-06-21T04:00:00.000Z",
              "ID": "CVE-2018-11041",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Cloud Foundry UAA",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "later than 4.6.0 and prior to 4.19.0 except 4.10.1 and 4.7.5"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cloud Foundry"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cloud Foundry UAA, versions later than 4.6.0 and prior to 4.19.0 except 4.10.1 and 4.7.5 and uaa-release versions later than v48 and prior to v60 except v55.1 and v52.9, does not validate redirect URL values on a form parameter used for internal UAA redirects on the login page, allowing open redirects. A remote attacker can craft a malicious link that, when clicked, will redirect users to arbitrary websites after a successful login attempt."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Open Redirect"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cloudfoundry.org/blog/cve-2018-11041/",
                  "refsource": "CONFIRM",
                  "url": "https://www.cloudfoundry.org/blog/cve-2018-11041/"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2018-11041",
        "datePublished": "2018-06-25T15:00:00.000Z",
        "dateReserved": "2018-05-14T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:11:54.199Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-1262 (GCVE-0-2018-1262)

    Vulnerability from nvd – Published: 2018-05-15 20:00 – Updated: 2024-09-16 17:08
    VLAI
    Summary
    Cloud Foundry Foundation UAA, versions 4.12.X and 4.13.X, introduced a feature which could allow privilege escalation across identity zones for clients performing offline validation. A zone administrator could configure their zone to issue tokens which impersonate another zone, granting up to admin privileges in the impersonated zone for clients performing offline token validation.
    Severity
    No CVSS data available.
    CWE
    • Privilege escalation
    Assigner
    References
    Impacted products
    Vendor Product Version
    Cloud Foundry CloudFoundry UAA Affected: 4.12.X and 4.13.X
    Create a notification for this product.
    Date Public
    2018-05-09 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T03:51:49.178Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cloudfoundry.org/blog/cve-2018-1262/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "CloudFoundry UAA",
              "vendor": "Cloud Foundry",
              "versions": [
                {
                  "status": "affected",
                  "version": "4.12.X and 4.13.X"
                }
              ]
            }
          ],
          "datePublic": "2018-05-09T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cloud Foundry Foundation UAA, versions 4.12.X and 4.13.X, introduced a feature which could allow privilege escalation across identity zones for clients performing offline validation. A zone administrator could configure their zone to issue tokens which impersonate another zone, granting up to admin privileges in the impersonated zone for clients performing offline token validation."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Privilege escalation",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-05-15T19:57:01.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cloudfoundry.org/blog/cve-2018-1262/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "DATE_PUBLIC": "2018-05-09T00:00:00",
              "ID": "CVE-2018-1262",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "CloudFoundry UAA",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "4.12.X and 4.13.X"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cloud Foundry"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cloud Foundry Foundation UAA, versions 4.12.X and 4.13.X, introduced a feature which could allow privilege escalation across identity zones for clients performing offline validation. A zone administrator could configure their zone to issue tokens which impersonate another zone, granting up to admin privileges in the impersonated zone for clients performing offline token validation."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Privilege escalation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cloudfoundry.org/blog/cve-2018-1262/",
                  "refsource": "CONFIRM",
                  "url": "https://www.cloudfoundry.org/blog/cve-2018-1262/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2018-1262",
        "datePublished": "2018-05-15T20:00:00.000Z",
        "dateReserved": "2017-12-06T00:00:00.000Z",
        "dateUpdated": "2024-09-16T17:08:52.142Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-1192 (GCVE-0-2018-1192)

    Vulnerability from nvd – Published: 2018-02-01 20:00 – Updated: 2024-08-05 03:51
    VLAI
    Summary
    In Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3, the SessionID is logged in audit event logs. An attacker can use the SessionID to impersonate a logged-in user.
    Severity
    No CVSS data available.
    CWE
    • UAA SessionID present in Audit Event Logs
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3 Affected: Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3
    Date Public
    2018-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T03:51:49.039Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cloudfoundry.org/blog/cve-2018-1192/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3"
                }
              ]
            }
          ],
          "datePublic": "2018-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3, the SessionID is logged in audit event logs. An attacker can use the SessionID to impersonate a logged-in user."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "UAA SessionID present in Audit Event Logs",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-02-01T19:57:01.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cloudfoundry.org/blog/cve-2018-1192/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "ID": "CVE-2018-1192",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3, the SessionID is logged in audit event logs. An attacker can use the SessionID to impersonate a logged-in user."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "UAA SessionID present in Audit Event Logs"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cloudfoundry.org/blog/cve-2018-1192/",
                  "refsource": "CONFIRM",
                  "url": "https://www.cloudfoundry.org/blog/cve-2018-1192/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2018-1192",
        "datePublished": "2018-02-01T20:00:00.000Z",
        "dateReserved": "2017-12-06T00:00:00.000Z",
        "dateUpdated": "2024-08-05T03:51:49.039Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-4963 (GCVE-0-2017-4963)

    Vulnerability from nvd – Published: 2017-06-13 06:00 – Updated: 2024-08-05 14:47
    VLAI
    Summary
    An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone release v2.0.0 - v2.7.4.12 & v3.0.0 - v3.11.0, and UAA bosh release v26 & earlier versions. UAA is vulnerable to session fixation when configured to authenticate against external SAML or OpenID Connect based identity providers.
    Severity
    No CVSS data available.
    CWE
    • Session Fixation for UAA External Authentication
    Assigner
    References
    URL Tags
    https://www.cloudfoundry.org/cve-2017-4963/ x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    n/a Cloud Foundry Foundation Affected: Cloud Foundry Foundation
    Date Public
    2017-06-12 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T14:47:43.348Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cloudfoundry.org/cve-2017-4963/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Cloud Foundry Foundation",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "Cloud Foundry Foundation"
                }
              ]
            }
          ],
          "datePublic": "2017-06-12T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone release v2.0.0 - v2.7.4.12 \u0026 v3.0.0 - v3.11.0, and UAA bosh release v26 \u0026 earlier versions. UAA is vulnerable to session fixation when configured to authenticate against external SAML or OpenID Connect based identity providers."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Session Fixation for UAA External Authentication",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-06-13T05:57:01.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cloudfoundry.org/cve-2017-4963/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "ID": "CVE-2017-4963",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Cloud Foundry Foundation",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Cloud Foundry Foundation"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone release v2.0.0 - v2.7.4.12 \u0026 v3.0.0 - v3.11.0, and UAA bosh release v26 \u0026 earlier versions. UAA is vulnerable to session fixation when configured to authenticate against external SAML or OpenID Connect based identity providers."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Session Fixation for UAA External Authentication"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cloudfoundry.org/cve-2017-4963/",
                  "refsource": "CONFIRM",
                  "url": "https://www.cloudfoundry.org/cve-2017-4963/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2017-4963",
        "datePublished": "2017-06-13T06:00:00.000Z",
        "dateReserved": "2016-12-29T00:00:00.000Z",
        "dateUpdated": "2024-08-05T14:47:43.348Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2016-5016 (GCVE-0-2016-5016)

    Vulnerability from nvd – Published: 2017-04-24 19:00 – Updated: 2024-08-06 00:46
    VLAI
    Summary
    Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 12.2 and earlier, PCF (aka Pivotal Cloud Foundry) Elastic Runtime 1.6.x before 1.6.35, and PCF Elastic Runtime 1.7.x before 1.7.13 does not validate if a certificate is expired.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Date Public
    2016-08-18 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T00:46:40.228Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.6"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.3"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/cloudfoundry/uaa-release/releases/tag/v12.3"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/cloudfoundry/uaa/releases/tag/3.4.2"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/cloudfoundry/cf-release/releases/tag/v240"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2016-5016"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/cloudfoundry/uaa-release/releases/tag/v11.3"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2016-08-18T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 12.2 and earlier, PCF (aka Pivotal Cloud Foundry) Elastic Runtime 1.6.x before 1.6.35, and PCF Elastic Runtime 1.7.x before 1.7.13 does not validate if a certificate is expired."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-04-24T18:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.6"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.3"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/cloudfoundry/uaa-release/releases/tag/v12.3"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/cloudfoundry/uaa/releases/tag/3.4.2"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/cloudfoundry/cf-release/releases/tag/v240"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2016-5016"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/cloudfoundry/uaa-release/releases/tag/v11.3"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2016-5016",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 12.2 and earlier, PCF (aka Pivotal Cloud Foundry) Elastic Runtime 1.6.x before 1.6.35, and PCF Elastic Runtime 1.7.x before 1.7.13 does not validate if a certificate is expired."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.6",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.6"
                },
                {
                  "name": "https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.3",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.3"
                },
                {
                  "name": "https://github.com/cloudfoundry/uaa-release/releases/tag/v12.3",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/cloudfoundry/uaa-release/releases/tag/v12.3"
                },
                {
                  "name": "https://github.com/cloudfoundry/uaa/releases/tag/3.4.2",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/cloudfoundry/uaa/releases/tag/3.4.2"
                },
                {
                  "name": "https://github.com/cloudfoundry/cf-release/releases/tag/v240",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/cloudfoundry/cf-release/releases/tag/v240"
                },
                {
                  "name": "https://pivotal.io/security/cve-2016-5016",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2016-5016"
                },
                {
                  "name": "https://github.com/cloudfoundry/uaa-release/releases/tag/v11.3",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/cloudfoundry/uaa-release/releases/tag/v11.3"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2016-5016",
        "datePublished": "2017-04-24T19:00:00.000Z",
        "dateReserved": "2016-05-24T00:00:00.000Z",
        "dateUpdated": "2024-08-06T00:46:40.228Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-11268 (GCVE-0-2019-11268)

    Vulnerability from cvelistv5 – Published: 2019-07-11 18:11 – Updated: 2024-09-17 03:13
    VLAI
    Title
    UAA SQL Identity Zone Vulnerability
    Summary
    Cloud Foundry UAA version prior to 73.3.0, contain endpoints that contains improper escaping. An authenticated malicious user with basic read privileges for one identity zone can extend those reading privileges to all other identity zones and obtain private information on users, clients, and groups in all other identity zones.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Cloud Foundry UAA Release (OSS) Affected: prior to v73.3.0
    Create a notification for this product.
    Date Public
    2019-06-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T22:48:09.032Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cloudfoundry.org/blog/cve-2019-11268"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "UAA Release (OSS)",
              "vendor": "Cloud Foundry",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to v73.3.0"
                }
              ]
            }
          ],
          "datePublic": "2019-06-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cloud Foundry UAA version prior to 73.3.0, contain endpoints that contains improper escaping. An authenticated malicious user with basic read privileges for one identity zone can extend those reading privileges to all other identity zones and obtain private information on users, clients, and groups in all other identity zones."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Information Exposure",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-07-11T18:11:36.000Z",
            "orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
            "shortName": "pivotal"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cloudfoundry.org/blog/cve-2019-11268"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "UAA SQL Identity Zone Vulnerability",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@pivotal.io",
              "DATE_PUBLIC": "2019-06-27T23:26:15.000Z",
              "ID": "CVE-2019-11268",
              "STATE": "PUBLIC",
              "TITLE": "UAA SQL Identity Zone Vulnerability"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "UAA Release (OSS)",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "prior to v73.3.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cloud Foundry"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cloud Foundry UAA version prior to 73.3.0, contain endpoints that contains improper escaping. An authenticated malicious user with basic read privileges for one identity zone can extend those reading privileges to all other identity zones and obtain private information on users, clients, and groups in all other identity zones."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-200: Information Exposure"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cloudfoundry.org/blog/cve-2019-11268",
                  "refsource": "CONFIRM",
                  "url": "https://www.cloudfoundry.org/blog/cve-2019-11268"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
        "assignerShortName": "pivotal",
        "cveId": "CVE-2019-11268",
        "datePublished": "2019-07-11T18:11:36.916Z",
        "dateReserved": "2019-04-18T00:00:00.000Z",
        "dateUpdated": "2024-09-17T03:13:54.242Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-3787 (GCVE-0-2019-3787)

    Vulnerability from cvelistv5 – Published: 2019-06-19 22:28 – Updated: 2024-09-16 21:57
    VLAI
    Title
    UAA defaults email address to an insecure domain
    Summary
    Cloud Foundry UAA, versions prior to 73.0.0, falls back to appending “unknown.org” to a user's email address when one is not provided and the user name does not contain an @ character. This domain is held by a private company, which leads to attack vectors including password recovery emails sent to a potentially fraudulent address. This would allow the attacker to gain complete control of the user's account.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Cloud Foundry UAA Release (OSS) Affected: All , < v73.0.0 (custom)
    Create a notification for this product.
    Date Public
    2019-05-14 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T19:19:18.288Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cloudfoundry.org/blog/cve-2019-3787"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "UAA Release (OSS)",
              "vendor": "Cloud Foundry",
              "versions": [
                {
                  "lessThan": "v73.0.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2019-05-14T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cloud Foundry UAA, versions prior to 73.0.0, falls back to appending \u201cunknown.org\u201d to a user\u0027s email address when one is not provided and the user name does not contain an @ character. This domain is held by a private company, which leads to attack vectors including password recovery emails sent to a potentially fraudulent address. This would allow the attacker to gain complete control of the user\u0027s account."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-840",
                  "description": "CWE-840: Business Logic Errors",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-06-19T22:28:07.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cloudfoundry.org/blog/cve-2019-3787"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "UAA defaults email address to an insecure domain",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secure@dell.com",
              "DATE_PUBLIC": "2019-05-14T00:00:00.000Z",
              "ID": "CVE-2019-3787",
              "STATE": "PUBLIC",
              "TITLE": "UAA defaults email address to an insecure domain"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "UAA Release (OSS)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "v73.0.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cloud Foundry"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cloud Foundry UAA, versions prior to 73.0.0, falls back to appending \u201cunknown.org\u201d to a user\u0027s email address when one is not provided and the user name does not contain an @ character. This domain is held by a private company, which leads to attack vectors including password recovery emails sent to a potentially fraudulent address. This would allow the attacker to gain complete control of the user\u0027s account."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-840: Business Logic Errors"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cloudfoundry.org/blog/cve-2019-3787",
                  "refsource": "CONFIRM",
                  "url": "https://www.cloudfoundry.org/blog/cve-2019-3787"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2019-3787",
        "datePublished": "2019-06-19T22:28:07.316Z",
        "dateReserved": "2019-01-03T00:00:00.000Z",
        "dateUpdated": "2024-09-16T21:57:57.203Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-15754 (GCVE-0-2018-15754)

    Vulnerability from cvelistv5 – Published: 2018-12-13 22:00 – Updated: 2024-09-16 17:24
    VLAI
    Title
    UAA can issue tokens across identity providers if users with matching usernames exist
    Summary
    Cloud Foundry UAA, versions 60 prior to 66.0, contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated user with access to one of these accounts may be able to obtain a token for an account of the same username in the other identity provider.
    CWE
    • Improper Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    Cloud Foundry UAA Release Affected: 60 , < 66.0 (custom)
    Create a notification for this product.
    Date Public
    2018-12-10 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:01:54.626Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "106240",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/106240"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cloudfoundry.org/blog/cve-2018-15754/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cloudfoundry.org/blog/cve-2018-15754"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "UAA Release",
              "vendor": "Cloud Foundry",
              "versions": [
                {
                  "lessThan": "66.0",
                  "status": "affected",
                  "version": "60",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2018-12-10T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cloud Foundry UAA, versions 60 prior to 66.0, contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated user with access to one of these accounts may be able to obtain a token for an account of the same username in the other identity provider."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authentication",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-12-19T21:57:01.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "name": "106240",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/106240"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cloudfoundry.org/blog/cve-2018-15754/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cloudfoundry.org/blog/cve-2018-15754"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "UAA can issue tokens across identity providers if users with matching usernames exist",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "DATE_PUBLIC": "2018-12-10T00:00:00.000Z",
              "ID": "CVE-2018-15754",
              "STATE": "PUBLIC",
              "TITLE": "UAA can issue tokens across identity providers if users with matching usernames exist"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "UAA Release",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "60",
                                "version_value": "66.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cloud Foundry"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cloud Foundry UAA, versions 60 prior to 66.0, contain an authorization logic error. In environments with multiple identity providers that contain accounts across identity providers with the same username, a remote authenticated user with access to one of these accounts may be able to obtain a token for an account of the same username in the other identity provider."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper Authentication"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "106240",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/106240"
                },
                {
                  "name": "https://www.cloudfoundry.org/blog/cve-2018-15754/",
                  "refsource": "CONFIRM",
                  "url": "https://www.cloudfoundry.org/blog/cve-2018-15754/"
                },
                {
                  "name": "https://www.cloudfoundry.org/blog/cve-2018-15754",
                  "refsource": "CONFIRM",
                  "url": "https://www.cloudfoundry.org/blog/cve-2018-15754"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2018-15754",
        "datePublished": "2018-12-13T22:00:00.000Z",
        "dateReserved": "2018-08-23T00:00:00.000Z",
        "dateUpdated": "2024-09-16T17:24:01.117Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-11041 (GCVE-0-2018-11041)

    Vulnerability from cvelistv5 – Published: 2018-06-25 15:00 – Updated: 2024-09-16 23:11
    VLAI
    Summary
    Cloud Foundry UAA, versions later than 4.6.0 and prior to 4.19.0 except 4.10.1 and 4.7.5 and uaa-release versions later than v48 and prior to v60 except v55.1 and v52.9, does not validate redirect URL values on a form parameter used for internal UAA redirects on the login page, allowing open redirects. A remote attacker can craft a malicious link that, when clicked, will redirect users to arbitrary websites after a successful login attempt.
    Severity
    No CVSS data available.
    CWE
    • Open Redirect
    Assigner
    References
    Impacted products
    Vendor Product Version
    Cloud Foundry Cloud Foundry UAA Affected: later than 4.6.0 and prior to 4.19.0 except 4.10.1 and 4.7.5
    Create a notification for this product.
    Date Public
    2018-06-21 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:54:36.475Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cloudfoundry.org/blog/cve-2018-11041/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Cloud Foundry UAA",
              "vendor": "Cloud Foundry",
              "versions": [
                {
                  "status": "affected",
                  "version": "later than 4.6.0 and prior to 4.19.0 except 4.10.1 and 4.7.5"
                }
              ]
            }
          ],
          "datePublic": "2018-06-21T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cloud Foundry UAA, versions later than 4.6.0 and prior to 4.19.0 except 4.10.1 and 4.7.5 and uaa-release versions later than v48 and prior to v60 except v55.1 and v52.9, does not validate redirect URL values on a form parameter used for internal UAA redirects on the login page, allowing open redirects. A remote attacker can craft a malicious link that, when clicked, will redirect users to arbitrary websites after a successful login attempt."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Open Redirect",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-06-25T14:57:01.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cloudfoundry.org/blog/cve-2018-11041/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "DATE_PUBLIC": "2018-06-21T04:00:00.000Z",
              "ID": "CVE-2018-11041",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Cloud Foundry UAA",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "later than 4.6.0 and prior to 4.19.0 except 4.10.1 and 4.7.5"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cloud Foundry"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cloud Foundry UAA, versions later than 4.6.0 and prior to 4.19.0 except 4.10.1 and 4.7.5 and uaa-release versions later than v48 and prior to v60 except v55.1 and v52.9, does not validate redirect URL values on a form parameter used for internal UAA redirects on the login page, allowing open redirects. A remote attacker can craft a malicious link that, when clicked, will redirect users to arbitrary websites after a successful login attempt."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Open Redirect"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cloudfoundry.org/blog/cve-2018-11041/",
                  "refsource": "CONFIRM",
                  "url": "https://www.cloudfoundry.org/blog/cve-2018-11041/"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2018-11041",
        "datePublished": "2018-06-25T15:00:00.000Z",
        "dateReserved": "2018-05-14T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:11:54.199Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-1262 (GCVE-0-2018-1262)

    Vulnerability from cvelistv5 – Published: 2018-05-15 20:00 – Updated: 2024-09-16 17:08
    VLAI
    Summary
    Cloud Foundry Foundation UAA, versions 4.12.X and 4.13.X, introduced a feature which could allow privilege escalation across identity zones for clients performing offline validation. A zone administrator could configure their zone to issue tokens which impersonate another zone, granting up to admin privileges in the impersonated zone for clients performing offline token validation.
    Severity
    No CVSS data available.
    CWE
    • Privilege escalation
    Assigner
    References
    Impacted products
    Vendor Product Version
    Cloud Foundry CloudFoundry UAA Affected: 4.12.X and 4.13.X
    Create a notification for this product.
    Date Public
    2018-05-09 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T03:51:49.178Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cloudfoundry.org/blog/cve-2018-1262/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "CloudFoundry UAA",
              "vendor": "Cloud Foundry",
              "versions": [
                {
                  "status": "affected",
                  "version": "4.12.X and 4.13.X"
                }
              ]
            }
          ],
          "datePublic": "2018-05-09T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cloud Foundry Foundation UAA, versions 4.12.X and 4.13.X, introduced a feature which could allow privilege escalation across identity zones for clients performing offline validation. A zone administrator could configure their zone to issue tokens which impersonate another zone, granting up to admin privileges in the impersonated zone for clients performing offline token validation."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Privilege escalation",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-05-15T19:57:01.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cloudfoundry.org/blog/cve-2018-1262/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "DATE_PUBLIC": "2018-05-09T00:00:00",
              "ID": "CVE-2018-1262",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "CloudFoundry UAA",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "4.12.X and 4.13.X"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cloud Foundry"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cloud Foundry Foundation UAA, versions 4.12.X and 4.13.X, introduced a feature which could allow privilege escalation across identity zones for clients performing offline validation. A zone administrator could configure their zone to issue tokens which impersonate another zone, granting up to admin privileges in the impersonated zone for clients performing offline token validation."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Privilege escalation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cloudfoundry.org/blog/cve-2018-1262/",
                  "refsource": "CONFIRM",
                  "url": "https://www.cloudfoundry.org/blog/cve-2018-1262/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2018-1262",
        "datePublished": "2018-05-15T20:00:00.000Z",
        "dateReserved": "2017-12-06T00:00:00.000Z",
        "dateUpdated": "2024-09-16T17:08:52.142Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-1192 (GCVE-0-2018-1192)

    Vulnerability from cvelistv5 – Published: 2018-02-01 20:00 – Updated: 2024-08-05 03:51
    VLAI
    Summary
    In Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3, the SessionID is logged in audit event logs. An attacker can use the SessionID to impersonate a logged-in user.
    Severity
    No CVSS data available.
    CWE
    • UAA SessionID present in Audit Event Logs
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3 Affected: Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3
    Date Public
    2018-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T03:51:49.039Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cloudfoundry.org/blog/cve-2018-1192/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3"
                }
              ]
            }
          ],
          "datePublic": "2018-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3, the SessionID is logged in audit event logs. An attacker can use the SessionID to impersonate a logged-in user."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "UAA SessionID present in Audit Event Logs",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-02-01T19:57:01.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cloudfoundry.org/blog/cve-2018-1192/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "ID": "CVE-2018-1192",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3, the SessionID is logged in audit event logs. An attacker can use the SessionID to impersonate a logged-in user."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "UAA SessionID present in Audit Event Logs"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cloudfoundry.org/blog/cve-2018-1192/",
                  "refsource": "CONFIRM",
                  "url": "https://www.cloudfoundry.org/blog/cve-2018-1192/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2018-1192",
        "datePublished": "2018-02-01T20:00:00.000Z",
        "dateReserved": "2017-12-06T00:00:00.000Z",
        "dateUpdated": "2024-08-05T03:51:49.039Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-4963 (GCVE-0-2017-4963)

    Vulnerability from cvelistv5 – Published: 2017-06-13 06:00 – Updated: 2024-08-05 14:47
    VLAI
    Summary
    An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone release v2.0.0 - v2.7.4.12 & v3.0.0 - v3.11.0, and UAA bosh release v26 & earlier versions. UAA is vulnerable to session fixation when configured to authenticate against external SAML or OpenID Connect based identity providers.
    Severity
    No CVSS data available.
    CWE
    • Session Fixation for UAA External Authentication
    Assigner
    References
    URL Tags
    https://www.cloudfoundry.org/cve-2017-4963/ x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    n/a Cloud Foundry Foundation Affected: Cloud Foundry Foundation
    Date Public
    2017-06-12 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T14:47:43.348Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cloudfoundry.org/cve-2017-4963/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Cloud Foundry Foundation",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "Cloud Foundry Foundation"
                }
              ]
            }
          ],
          "datePublic": "2017-06-12T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone release v2.0.0 - v2.7.4.12 \u0026 v3.0.0 - v3.11.0, and UAA bosh release v26 \u0026 earlier versions. UAA is vulnerable to session fixation when configured to authenticate against external SAML or OpenID Connect based identity providers."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Session Fixation for UAA External Authentication",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-06-13T05:57:01.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cloudfoundry.org/cve-2017-4963/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security_alert@emc.com",
              "ID": "CVE-2017-4963",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Cloud Foundry Foundation",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Cloud Foundry Foundation"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone release v2.0.0 - v2.7.4.12 \u0026 v3.0.0 - v3.11.0, and UAA bosh release v26 \u0026 earlier versions. UAA is vulnerable to session fixation when configured to authenticate against external SAML or OpenID Connect based identity providers."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Session Fixation for UAA External Authentication"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cloudfoundry.org/cve-2017-4963/",
                  "refsource": "CONFIRM",
                  "url": "https://www.cloudfoundry.org/cve-2017-4963/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2017-4963",
        "datePublished": "2017-06-13T06:00:00.000Z",
        "dateReserved": "2016-12-29T00:00:00.000Z",
        "dateUpdated": "2024-08-05T14:47:43.348Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2016-5016 (GCVE-0-2016-5016)

    Vulnerability from cvelistv5 – Published: 2017-04-24 19:00 – Updated: 2024-08-06 00:46
    VLAI
    Summary
    Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 12.2 and earlier, PCF (aka Pivotal Cloud Foundry) Elastic Runtime 1.6.x before 1.6.35, and PCF Elastic Runtime 1.7.x before 1.7.13 does not validate if a certificate is expired.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Date Public
    2016-08-18 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T00:46:40.228Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.6"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.3"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/cloudfoundry/uaa-release/releases/tag/v12.3"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/cloudfoundry/uaa/releases/tag/3.4.2"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/cloudfoundry/cf-release/releases/tag/v240"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2016-5016"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/cloudfoundry/uaa-release/releases/tag/v11.3"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2016-08-18T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 12.2 and earlier, PCF (aka Pivotal Cloud Foundry) Elastic Runtime 1.6.x before 1.6.35, and PCF Elastic Runtime 1.7.x before 1.7.13 does not validate if a certificate is expired."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-04-24T18:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.6"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.3"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/cloudfoundry/uaa-release/releases/tag/v12.3"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/cloudfoundry/uaa/releases/tag/3.4.2"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/cloudfoundry/cf-release/releases/tag/v240"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2016-5016"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/cloudfoundry/uaa-release/releases/tag/v11.3"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2016-5016",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 12.2 and earlier, PCF (aka Pivotal Cloud Foundry) Elastic Runtime 1.6.x before 1.6.35, and PCF Elastic Runtime 1.7.x before 1.7.13 does not validate if a certificate is expired."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.6",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.6"
                },
                {
                  "name": "https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.3",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.3"
                },
                {
                  "name": "https://github.com/cloudfoundry/uaa-release/releases/tag/v12.3",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/cloudfoundry/uaa-release/releases/tag/v12.3"
                },
                {
                  "name": "https://github.com/cloudfoundry/uaa/releases/tag/3.4.2",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/cloudfoundry/uaa/releases/tag/3.4.2"
                },
                {
                  "name": "https://github.com/cloudfoundry/cf-release/releases/tag/v240",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/cloudfoundry/cf-release/releases/tag/v240"
                },
                {
                  "name": "https://pivotal.io/security/cve-2016-5016",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2016-5016"
                },
                {
                  "name": "https://github.com/cloudfoundry/uaa-release/releases/tag/v11.3",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/cloudfoundry/uaa-release/releases/tag/v11.3"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2016-5016",
        "datePublished": "2017-04-24T19:00:00.000Z",
        "dateReserved": "2016-05-24T00:00:00.000Z",
        "dateUpdated": "2024-08-06T00:46:40.228Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }