CVE-2016-6636

Name of the Vulnerable Software and Affected Versions Pivotal Cloud Foundry versions prior to 242 UAA versions 2.x prior to 2.7.4.7 UAA versions 3.x prior to 3.3.0.5 UAA versions 3.4.x prior to 3.4.4 UAA BOSH versions prior to 11.5 UAA BOSH versions 12.x prior to 12.5 Elastic Runtime versions 1.6.x prior to 1.6.40 Elastic Runtime versions 1.7.x prior to 1.7.21 Elastic Runtime versions 1.8.x prior to 1.8.1 Ops Manager versions 1.7.x prior to 1.7.13 Ops Manager versions 1.8.x prior to 1.8.1

Description The OAuth authorization implementation in the affected software mishandles redirect uri subdomains. This allows remote attackers to obtain implicit access tokens via a modified subdomain.

Recommendations For Pivotal Cloud Foundry version prior to 242, update to version 242 or later. For UAA version 2.x prior to 2.7.4.7, update to version 2.7.4.7 or later. For UAA version 3.x prior to 3.3.0.5, update to version 3.3.0.5 or later. For UAA version 3.4.x prior to 3.4.4, update to version 3.4.4 or later. For UAA BOSH version prior to 11.5, update to version 11.5 or later. For UAA BOSH version 12.x prior to 12.5, update to version 12.5 or later. For Elastic Runtime version 1.6.x prior to 1.6.40, update to version 1.6.40 or later. For Elastic Runtime version 1.7.x prior to 1.7.21, update to version 1.7.21 or later. For Elastic Runtime version 1.8.x prior to 1.8.1, update to version 1.8.1 or later. For Ops Manager version 1.7.x prior to 1.7.13, update to version 1.7.13 or later. For Ops Manager version 1.8.x prior to 1.8.1, update to version 1.8.1 or later.