Lucene search

GitHub Advisory DatabaseGHSA-RC2R-W8JV-VGGP

HistoryMay 14, 2022 - 1:30 a.m.

Cloud Foundry vulnerable to Improper Certificate Validation

2022-05-1401:30:57

CWE-295

GitHub Advisory Database

github.com

cloud foundry

uaa

pivotal

certificate validation

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

6.9

Confidence

High

EPSS

0.003

Percentile

66.3%

JSON

Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 12.2 and earlier, PCF (aka Pivotal Cloud Foundry) Elastic Runtime 1.6.x before 1.6.35, and PCF Elastic Runtime 1.7.x before 1.7.13 does not validate if a certificate is expired.

Affected configurations

Vulners

Node

org.cloudfoundry.identitycloudfoundry-identity-serverRange3.4.0–3.4.2

org.cloudfoundry.identitycloudfoundry-identity-serverRange3.0.0–3.3.0.3

VendorProductVersionCPE
org.cloudfoundry.identitycloudfoundry-identity-server*cpe:2.3:a:org.cloudfoundry.identity:cloudfoundry-identity-server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.cloudfoundry.identity	cloudfoundry-identity-server	*	cpe:2.3:a:org.cloudfoundry.identity:cloudfoundry-identity-server::::::::

References

github.com/advisories/GHSA-rc2r-w8jv-vggp

github.com/cloudfoundry/cf-release/releases/tag/v240

github.com/cloudfoundry/uaa-release/releases/tag/v11.3

github.com/cloudfoundry/uaa-release/releases/tag/v12.3

github.com/cloudfoundry/uaa/commit/0a78612f981c541ad2d997e6a365f2a0b3e799d9

github.com/cloudfoundry/uaa/commit/bc91ccd2029e8f1cea0c647f0c9aad4585f7a2c

github.com/cloudfoundry/uaa/commit/f97049df1c6c03effda5049c41704ac831ff3925

github.com/cloudfoundry/uaa/releases/tag/2.7.4.6

github.com/cloudfoundry/uaa/releases/tag/3.3.0.3

github.com/cloudfoundry/uaa/releases/tag/3.4.2

nvd.nist.gov/vuln/detail/CVE-2016-5016

pivotal.io/security/cve-2016-5016

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

6.9

Confidence

High

EPSS

0.003

Percentile

66.3%

JSON

Related for GHSA-RC2R-W8JV-VGGP