CVE-2016-6651

Name of the Vulnerable Software and Affected Versions Pivotal Cloud Foundry (PCF) versions before 243 UAA versions 2.x before 2.7.4.8 UAA versions 3.x before 3.3.0.6 UAA versions 3.4.x before 3.4.5 UAA BOSH versions before 11.7 UAA BOSH versions 12.x before 12.6 Elastic Runtime versions 1.6.x before 1.6.40 Elastic Runtime versions 1.7.x before 1.7.21 Elastic Runtime versions 1.8.x before 1.8.2 Ops Manager versions 1.7.x before 1.7.13 Ops Manager versions 1.8.x before 1.8.1

Description The issue allows remote authenticated users to gain privileges by leveraging possession of a token. This is related to the UAA /oauth/token endpoint.

Recommendations For Pivotal Cloud Foundry (PCF) versions before 243, update to version 243 or later. For UAA versions 2.x before 2.7.4.8, update to version 2.7.4.8 or later. For UAA versions 3.x before 3.3.0.6, update to version 3.3.0.6 or later. For UAA versions 3.4.x before 3.4.5, update to version 3.4.5 or later. For UAA BOSH versions before 11.7, update to version 11.7 or later. For UAA BOSH versions 12.x before 12.6, update to version 12.6 or later. For Elastic Runtime versions 1.6.x before 1.6.40, update to version 1.6.40 or later. For Elastic Runtime versions 1.7.x before 1.7.21, update to version 1.7.21 or later. For Elastic Runtime versions 1.8.x before 1.8.2, update to version 1.8.2 or later. For Ops Manager versions 1.7.x before 1.7.13, update to version 1.7.13 or later. For Ops Manager versions 1.8.x before 1.8.1, update to version 1.8.1 or later. As a temporary workaround, consider restricting access to the "/oauth/token" endpoint until a patch is available.