CVE-2017-4974

Name of the Vulnerable Software and Affected Versions Cloud Foundry Foundation cf-release versions prior to v258 UAA release 2.x versions prior to v2.7.4.15 UAA release 3.6.x versions prior to v3.6.9 UAA release 3.9.x versions prior to v3.9.11 UAA release versions prior to v3.16.0 UAA bosh release (uaa-release) 13.x versions prior to v13.13 UAA bosh release (uaa-release) 24.x versions prior to v24.8 UAA bosh release (uaa-release) versions prior to v30.1

Description An issue allows an authorized user to use a blind SQL injection attack to query the contents of the UAA database. This is related to privileged UAA endpoints.

Recommendations For Cloud Foundry Foundation cf-release versions prior to v258, update to version v258 or later. For UAA release 2.x versions prior to v2.7.4.15, update to version v2.7.4.15 or later. For UAA release 3.6.x versions prior to v3.6.9, update to version v3.6.9 or later. For UAA release 3.9.x versions prior to v3.9.11, update to version v3.9.11 or later. For UAA release versions prior to v3.16.0, update to version v3.16.0 or later. For UAA bosh release (uaa-release) 13.x versions prior to v13.13, update to version v13.13 or later. For UAA bosh release (uaa-release) 24.x versions prior to v24.8, update to version v24.8 or later. For UAA bosh release (uaa-release) versions prior to v30.1, update to version v30.1 or later.