Cloud Foundry · Uaa · CVE-2016-6659
**Name of the Vulnerable Software and Affected Versions**
Cloud Foundry versions prior to 248
UAA versions 2.x prior to 2.7.4.12
UAA versions 3.x prior to 3.6.5
UAA versions 3.7.x through 3.9.x prior to 3.9.3
UAA bosh release (aka uaa-release) versions prior to 13.9 for UAA 3.6.5
UAA bosh release (aka uaa-release) versions prior to 24 for UAA 3.9.3
**Description**
The issue allows attackers to gain privileges by accessing UAA logs and subsequently running a specially crafted application that interacts with a configured SAML provider.
**Recommendations**
For Cloud Foundry versions prior to 248, update to version 248 or later.
For UAA versions 2.x prior to 2.7.4.12, update to version 2.7.4.12 or later.
For UAA versions 3.x prior to 3.6.5, update to version 3.6.5 or later.
For UAA versions 3.7.x through 3.9.x prior to 3.9.3, update to version 3.9.3 or later.
For UAA bosh release (aka uaa-release) versions prior to 13.9 for UAA 3.6.5, update to version 13.9 or later.
For UAA bosh release (aka uaa-release) versions prior to 24 for UAA 3.9.3, update to version 24 or later.