CVE-2016-3084

Published on: 05/25/2017 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:03 PM UTC

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Certain versions of Cloud Foundry from Pivotal Software contain the following vulnerability:

The UAA reset password flow in Cloud Foundry release v236 and earlier versions, UAA release v3.3.0 and earlier versions, all versions of Login-server, UAA release v10 and earlier versions and Pivotal Elastic Runtime versions prior to 1.7.2 is vulnerable to a brute force attack due to multiple active codes at a given time. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected.

  • CVE-2016-3084 has been assigned by [email protected] to track the vulnerability - currently rated as HIGH severity.
  • Affected Vendor/Software: Pivotal - Cloud Foundry version release v236 and earlier versions
  • Affected Vendor/Software: Pivotal - Cloud Foundry version UAA release v3.3.0 and earlier versions
  • Affected Vendor/Software: Pivotal - Cloud Foundry version All versions of Login-server
  • Affected Vendor/Software: Pivotal - Cloud Foundry version UAA release v10 and earlier versions
  • Affected Vendor/Software: Pivotal - Cloud Foundry version Elastic Runtime versions prior to 1.7.2

CVSS3 Score: 8.1 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK HIGH NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH HIGH HIGH

CVSS2 Score: 4.3 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK MEDIUM NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
PARTIAL NONE NONE

CVE References

Description Tags Link
CVE-2016-3084 UAA Password Reset Vulnerability | Security | VMware Tanzu Vendor Advisory
pivotal.io
text/html
URL Logo CONFIRM pivotal.io/security/cve-2016-3084

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationPivotal SoftwareCloud FoundryAllAllAllAll
ApplicationPivotal SoftwareCloud Foundry Elastic RuntimeAllAllAllAll
ApplicationPivotal SoftwareCloud Foundry UaaAllAllAllAll
ApplicationPivotal SoftwareCloud Foundry Uaa ReleaseAllAllAllAll
ApplicationPivotal SoftwareLogin-server-AllAllAll
ApplicationPivotal SoftwareLogin-server-AllAllAll
  • cpe:2.3:a:pivotal_software:cloud_foundry:*:*:*:*:*:*:*:*:
  • cpe:2.3:a:pivotal_software:cloud_foundry_elastic_runtime:*:*:*:*:*:*:*:*:
  • cpe:2.3:a:pivotal_software:cloud_foundry_uaa:*:*:*:*:*:*:*:*:
  • cpe:2.3:a:pivotal_software:cloud_foundry_uaa_release:*:*:*:*:*:*:*:*:
  • cpe:2.3:a:pivotal_software:login-server:-:*:*:*:*:*:*:*:
  • cpe:2.3:a:pivotal_software:login-server:-:*:*:*:*:*:*:*: