PT-2016-3243 · Pivotal+1 · Pivotal Cloud Foundry (Pcf) Elastic Runtime+2
Published
2016-05-02
·
Updated
2022-05-13
·
CVE-2015-5171
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Cloud Foundry Runtime cf-release versions prior to 216
UAA versions prior to 2.5.2
Pivotal Cloud Foundry (PCF) Elastic Runtime versions prior to 1.7.0
Description
The issue is related to the password change functionality, where failure to expire existing sessions can be leveraged by attackers. This allows a remote attacker to exploit an old session after a password reset, as logging in with a new password does not invalidate already established sessions.
Recommendations
For Cloud Foundry Runtime cf-release versions prior to 216, update to version 216 or later.
For UAA versions prior to 2.5.2, update to version 2.5.2 or later.
For Pivotal Cloud Foundry (PCF) Elastic Runtime versions prior to 1.7.0, update to version 1.7.0 or later.
Fix
Insufficient Session Expiration
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cloud Foundry Runtime
Pivotal Cloud Foundry (Pcf) Elastic Runtime
Uaa